1.yum 安装freeradius
yum -y install freeradius freeradius-utils freeradius-ldap vim
2.编辑 vim /etc/raddb/mods-available/ldap 根据实际情况修改dc的值
[root@localhost ~]# cat /etc/raddb/mods-available/ldap | grep -v "#"|grep -v "^$" ldap { server = 'x.x.x.x' #ldap server ip port = 389 #ldap server port identity = 'cn=admin,dc=openldap,dc=cn' #ldap admin dn password = 123456 #ldap admin passwd base_dn = 'dc=openldap,dc=cn' #ldap dn sasl { } update { control:Password-With-Header += 'userPassword' #radius去ldap继承用户信息里的属性 control:NT-Password := 'ntPassword' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' #这个是隧道类型 VLAN reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' #这个是协议类型 IEEE-802 reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' #这个是 vlan id } user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" sasl { } } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
3.vim /etc/raddb/sites-available/site-ldap
vim /etc/raddb/sites-available/site-ldap server site_ldap { listen { ipaddr = 0.0.0.0 port = 1833 type = auth } authorize { update { control:Auth-Type := ldap } } authenticate { Auth-Type ldap { ldap } } post-auth { Post-Auth-Type Reject { } } }
取消这两个文件里面关于ldap的注释
vim /etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/inner-tunnel
750 ldap ... 526 Auth-Type LDAP { 527 ldap 528 }
将刚才编辑的ldap和site_ldap模块开启
ln -s /etc/raddb/sites-available/site-ldap /etc/raddb/sites-enabled/ ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
vim /etc/raddb/clients.conf
client all {
ipaddr = 0.0.0.0/0
secret = 123456 #radius的密码要和交换机设置的一样
#require_message_authenticator = no
}
使用radiusd -X测试没问题就可以使用了
systemctl restart radiusd systemctl status radiusd systemctl enable radiusd标签:dn,vim,centos7,etc,raddb,openldap,yum,base,ldap From: https://www.cnblogs.com/wanglilu1987/p/17720690.html