1.yum 安装freeradius
yum -y install freeradius freeradius-utils freeradius-ldap vim
2.编辑 vim /etc/raddb/mods-available/ldap 根据实际情况修改dc的值
[root@localhost ~]# cat /etc/raddb/mods-available/ldap | grep -v "#"|grep -v "^$"
ldap {
server = 'x.x.x.x' #ldap server ip
port = 389 #ldap server port
identity = 'cn=admin,dc=openldap,dc=cn' #ldap admin dn
password = 123456 #ldap admin passwd
base_dn = 'dc=openldap,dc=cn' #ldap dn
sasl {
}
update {
control:Password-With-Header += 'userPassword' #radius去ldap继承用户信息里的属性
control:NT-Password := 'ntPassword'
reply:Reply-Message := 'radiusReplyMessage'
reply:Tunnel-Type := 'radiusTunnelType' #这个是隧道类型 VLAN
reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' #这个是协议类型 IEEE-802
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' #这个是 vlan id
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
3.vim /etc/raddb/sites-available/site-ldap
vim /etc/raddb/sites-available/site-ldap
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}
取消这两个文件里面关于ldap的注释
vim /etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/inner-tunnel
750 ldap
...
526 Auth-Type LDAP {
527 ldap
528 }
将刚才编辑的ldap和site_ldap模块开启
ln -s /etc/raddb/sites-available/site-ldap /etc/raddb/sites-enabled/ ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
vim /etc/raddb/clients.conf
client all {
ipaddr = 0.0.0.0/0
secret = 123456 #radius的密码要和交换机设置的一样
#require_message_authenticator = no
}
使用radiusd -X测试没问题就可以使用了
systemctl restart radiusd systemctl status radiusd systemctl enable radiusd标签:dn,vim,centos7,etc,raddb,openldap,yum,base,ldap From: https://www.cnblogs.com/wanglilu1987/p/17720690.html