1安装软件:
yum install freeradius freeradius-ldap freeradius-utils -y
2启动服务
systemctl start radiusd.service
3开机自动启动
systemctl enable radiusd.service
4修改配置文件 /etc/raddb/mods-available/ldap主要是ldap部分,其它都是默认
[root@10-57-22-55 mods-available]# cat /etc/raddb/mods-available/ldap | grep -v '#' | grep -v ^$
ldap {
server = 'x.x.8.55' #服务器
port = 389 #端口
identity = 'CN=opsldap,CN=Users,DC=txxxdxx,DC=me' #连接LDAP帐号
password =xxxxxxxx #连接LDAP密码
base_dn = 'DC=txxxdxx,DC=me' #dn
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir = no #修改
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" #修改成sAM
#以下用默认
sasl {
}
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
5在 mods-enabled/ 下执行ln 注意后面有点
ln -s ../mods-available/ldap .
6在 sites-available/ 下创建 site_ldap
[root@10-57-22-55 sites-available]# cat site_ldap
server site_ldap {
listen {
ipaddr = 0.0.0.0
port = 1833
type = auth
}
authorize {
update {
control:Auth-Type := ldap
}
}
authenticate {
Auth-Type ldap {
ldap
}
}
post-auth {
Post-Auth-Type Reject {
}
}
}
7在 sites-enabled/ 下执行ln 注意后面有点
ln -s ../sites-available/site_ldap .
重启服务器
systemctl restart radiusd.service
测试命令如下
radtest user password localhost:1833 0 testing123
以下结果表示成功:Received Access-Accep(密码带特殊字符需要用‘’引号引起来)
[root@10-57-22-55 sites-available]# radtest shanfu.wu 'xxx!*@Txxxdxx' localhost:1833 0 testing123
Sent Access-Request Id 133 from 0.0.0.0:34144 to 127.0.0.1:1833 length 79
User-Name = "shanfu.wu"
User-Password = "xxxxxx"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "xxxxxx"
Received Access-Accept Id 133 from 127.0.0.1:1833 to 0.0.0.0:0 length 20
以下为密码错误Received Access-Reject
[root@10-57-22-55 sites-available]# radtest shanfu.wu xxxxx localhost:1833 0 testing123
Sent Access-Request Id 114 from 0.0.0.0:37246 to 127.0.0.1:1833 length 95
User-Name = "shanfu.wu"
User-Password = "xxxxx"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "xxxx"
Received Access-Reject Id 114 from 127.0.0.1:1833 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
