02.FreeIPA、FreeRadius双因子认证

一、安装先决条件

1. Rocky 8 （2G内存以上，30G硬盘，镜像源修改为阿里云）

二、安装FreeIPA

修改SeLinux、关闭防火墙、更新系统：

timedatectl set-timezone Asia/Shanghai
setenforce 0
systemctl stop firewalld.service
dnf  update

安装前准备：

设置主机名：
hostnamectl set-hostname freeipa.test.local
修改host，并保留以下内容：
vim /etc/hosts
192.168.248.128 freeipa.test.local

Rocky8需要使用输入以下命令，方可安装ipa；而Rocky9是不需要的。

默认情况，FreeIPA软件包在Rocky标准库中不可用，需要启用idm:DL1存储库，然后同步存储库
dnf module enable idm:DL1
dnf distro-sync

安装FreeIPA Server

安装相关组件
dnf install ipa-server ipa-server-dns -y

部署FreeIPA

ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.10.1

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com


Server host name [freeipa.test.local]:

The domain name has been determined based on the host name.

Please confirm the domain name [test.local]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [TEST.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [TEST]:

Do you want to configure chrony with NTP server or pool address? [no]: no

The IPA Master Server will be configured with:
Hostname:       freeipa.test.local
IP address(es): 192.168.248.128
Domain name:    test.local
Realm name:     TEST.LOCAL

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=TEST.LOCAL
Subject base: O=TEST.LOCAL
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

如下部署完成：

修改Windows的hosts文件，并添加如下内容：

C:\Windows\System32\drivers\etc\hosts
192.168.248.128  freeipa.test.local

通过之前设置的用户密码进行登录；

添加用户：

关联Token：



通过OTP软件进行扫描，我这里使用的是微软推出的Authenticaor，这个软件能够通过微软账号进行同步：

选择账户认证类型：

使用刚才创建的test01账号登录freeipa，在第一次登录的时候只使用密码登陆即可，并在后面修改用户密码：

需要注意的是，这里的密码是通过“密码+OTP”的组合。比如，你的密码是“123456”，而OTP是“203221”，那么这里的密码就是“123456203221”。

重置你们的密码：

即可显示如下信息：

需要注意的是，freeipa上面的OTP都是一次性的，已经使用过的OTP是没有办法继续使用的。

三、安装配置FreeRaiuds

安装freeradius：

dnf install freeradius freeradius-utils freeradius-ldap freeradius-krb5

配置freeradius的/etc/raddb/clients.conf文件:

### 配置Radius认证的客户端网段
vim /etc/raddb/clients.conf
client localhost {
	ipaddr = 192.168.248.0/24
	proto = *
	secret = testing123
	require_message_authenticator = no
	nas_type = other
	limit {
		max_connections = 16
		life = 0
		idel_timeout = 30
	}
}
### ipv6配置类似配置即可

配置freeradius的/etc/raddb/sites-enabled/default中的ldap配置，确保认证用户从ldap数据库中获取数据：

vim /etc/raddb/sites-enabled/default
### 在authorize模块启用LDAP
authorize {
	ldap
	if ((ok || updated) && User-Password) {
		update {
			control:Auth-Type := ldap
		}
	}
}

### 在authenticate模块启用LDAP
authenticate {
	Auth-Type LDAP {
		ldap
	}
}

配置freeradius的/etc/raddb/sites-enabled/inner-tunnel中的ldap配置，确保认证用户从ldap数据库中获取数据：

vim /etc/raddb/sites-enabled/inner-tunnel
### 在authorize模块启用LDAP
authorize {
	ldap
	if ((ok || updated) && User-Password) {
		update {
			control:Auth-Type := ldap
		}
	}
}

### 在authenticate模块启用LDAP
authenticate {
	Auth-Type LDAP {
		ldap
	}
}

将LDAP添加到mods-enabled中

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

我们通过ldapsearch搜索一下，查看dn的具体信息，在这里需要输入之前设置的ldap密码：

ldapsearch -x -v -W -D 'cn=Directory Manager' uid=test01 | grep test01

修改mods-enabled中LDAP属性"

vim /etc/raddb/mods-available/ldap

ldap {
	server = 'freeipa.test.local'
	base_dn = 'cn=compat,dc=test,dc=local'
}

然后就可以启动radiusd的调式模式，验证相关功能是否正常；

radiusd -X

在出现上述显示之后，我们再打开一个终端进行测试，我们从本地发起测试，所以对应要用到上面设置的 secret，用test01登录，这里 1qaz2wsx217117 是 test01密码和OTP的组合。

我们已经看到Received Access-Accept就可以了。
设置Radius开机自动启动

systemctl enable radiusd
systemctl start radiusd

五、问题点：

1、问题1

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

解决方式：
RockyLinux 安装过程中会出现如上报错，则说明本地已存在其他证书系统，需要删除相关证书文件。

2、问题2

Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
/etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file"
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

解决方式：
需要生成相关证书，大家也可以自行编译相关的证书，证书配置文件也在这个目录下面。

cd /etc/raddb/certs
./bootstrap