我试图build立一个LDAP服务器来validation多个服务器,如FTP和半径(甚至可能是SSH?)
我有一个路由器(ddwrt),我已经能够在freeradius中使用明文密码进行身份validation。 现在我想使用一个ldap服务器来存储用户和密码
我已经build立了我的ldap服务器,并且可以使用以下方法进行身份validation:
kevin@kevin-desktop:~$ radtest ldapuser password123 127.0.0.1 2 testing123 Sending Access-Request of id 182 to 127.0.0.1 port 1812 User-Name = "ldapuser" User-Password = "password123" NAS-IP-Address = 127.0.1.1 NAS-Port = 2 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=182, length=20 但是,当我尝试使用ddwrt进行身份validation – > freeradius时,我收到以下消息:
rad_recv: Access-Request packet from host 192.168.11.1 port 52101, id=0, length=129 User-Name = "ldapuser" NAS-IP-Address = 192.168.11.1 Called-Station-Id = "10da43747fcb" Calling-Station-Id = "accf8528974e" NAS-Identifier = "10da43747fcb" NAS-Port = 49 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000d016c64617075736572 Message-Authenticator = 0x99372f408b0979fc103af5112b81501a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 1 ++[files] = ok [ldap] performing user authorization for ldapuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> ldapuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ldapuser) [ldap] expand: dc=kevin,dc=local -> dc=kevin,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.11.21:389, authentication 0 [ldap] bind as cn=admin,dc=kevin,dc=local/pwd to 192.168.11.21:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=kevin,dc=local, with filter (uid=ldapuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> User-Password == "{SSHA}fqS7t/ZXimCnTgsXcsGDQF9WP+atmjVG" [ldap] userPassword -> Password-With-Header == "{SSHA}fqS7t/ZXimCnTgsXcsGDQF9WP+atmjVG" [ldap] looking for reply items in directory... [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +group LDAP { [ldap] Attribute "User-Password" is required for authentication. You seem to have set "Auth-Type := LDAP" somewhere. THAT CONFIGURATION IS WRONG. DELETE IT. YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY. ++[ldap] = invalid +} # group LDAP = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [eap] Request was previously rejected, inserting EAP-Failure ++[eap] = updated [attr_filter.access_reject] expand: %{User-Name} -> ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.11.1 port 52101 EAP-Message = 0x04000004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +9 Ready to process requests.
我如何正确设置openldap与openldap?
这里的关键信息是:
[ldap]validation需要属性“用户密码”。
你似乎在某处设置了“Auth-Type:= LDAP”。 这个configuration是错误的。 删除它。 您正在防止服务器正常工作。
我看不到更新部分,但我敢打赌,你已经将set_auth_type设置为yes,或者raddb/users第1行的条目具有如下的内容:
DEFAULT Auth-Type := LDAP
无论哪种情况,您都应该删除条目。
通过设置Auth-Type,您正在强制服务器执行特定types的身份validation,这可能不适合给定请求中的属性。
FreeRADIUS wiki上的RADIUS Concepts提供了服务器如何决定使用哪种authentication方法的说明。
对于EAPvalidation(这是DD-WRT正在尝试的),您需要将LDAP和PAP模块添加到sites-available/inner-tunnel的授权部分,并确保您的Password-With-Header属性指向正确的LDAP属性。
显然,您必须将密码以明文forms存储在ldap服务器上,以使PEAP正常工作。
我遵循这个教程(非常基本的设置): https : //www.youtube.com/watch?v = weTfRslHhZY
脚步:
在/ etc / freeradius / modules / ldap中修改设置:
server = "server.address" identity = "cn=admin,dc=example,dc=com" password = admin_password basedn = "dc=example,dc=com"
在/ etc / freeradius / sites-available / default授权部分:
comment file uncomment ldap
在/ etc / freeradius / sites-available / inner-tunnel中
授权部分:
comment file uncomment ldap
validation部分:取消注释:
Auth-Type LDAP { ldap }
他们忽略了这个事实,你必须保持密码明文,我在这里发现:
http://tech.sybreon.com/2011/01/18/freeradius-openldap-dd-wrt/
显然你不能创build一个简单的组织组posix帐户,你必须从我从这里得到一个posix组创build它:
最后,我不得不使用jxexplore和phpldapadmin来添加我的用户,因为jxexplore不喜欢添加明文密码。 只需在jxexplore上创build没有密码的帐户,然后将密码添加到phpldapadmin中的用户。 (当我有机会的时候我会更新这个)