1.安装部署LDAP服务
CentOS8不默认提供openldap-server安装包,本着系统有啥就用啥的原则,一是经过多轮筛选,而是系统可以平滑升级。因此,使用FreeIPA,其中提供了LDAP的服务,同时提供了一个还算可以的Web UI进行日常的管理操作,但没有提供树形结构,需要的可以自行使用LdapAdmin或者Apache的ApacheDirectorydStuido。
1.2 安装FreeIPA软件包
# dnf module -y install idm:DL11.3 安装FreeIPA服务
# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.7.1
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
# confirm hostname and Enter
Server host name [master.test.org]:
# confirm domain name and Enter
Please confirm the domain name [master.test.org]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
# confirm realm name and Enter
Please provide a realm name [MASTER.TEST.ORG]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
# set Directory Manager password
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
# set IPA admin password
IPA admin password:
Password (confirm):
......
The IPA Master Server will be configured with:
Hostname: master.test.org
IP address(es): 192.168.1.5
Domain name: test.org
Realm name: TEST.ORG
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=TEST.ORG
Subject base: O=TEST.ORG
Chaining: self-signed
# confirm settings and proceed with [yes]
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
.....
.....
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful安装完后初始化管理员,生成Kerberos Ticket.
# kinit admin
Password for [email protected]: # IPA admin password使用下面命令查看结果
# klist
Ticket cache: KCM:0
Default principal: [email protected]具体安装可以参看RedHat Identify Management的官方文档。
1.3 配置防火墙
# firewall-cmd --add-service=freeipa-4 --permanent
# firewall-cmd --reload1.4 其它
主要是添加账号,进行组织架构管理
2.安装部署RADIUS服务
2.1 安装FreeRadius软件包
# dnf install freeradius freeradius-ldap freeradius-utils2.2 配置/etc/radb/client.conf
client localnet {
ipaddr = 192.168.1.0/24
proto = *
secret = <input_your_secret>
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}1.2 配置文件/etc/raddb/sites-enabled/default和/etc/raddb/sites-enabled/inner-tunnel
找到如下内容
# The ldap module reads passwords from the LDAP database.
-ldap替换为
#
# The ldap module reads passwords from the LDAP database.
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}反注释下面内容
# Auth-Type LDAP {
# ldap
# }1.3 配置文件/etc/raddb/mods-available/default
找到下面的内容
# server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org"
...
# base_dn = "dc=example,dc=org"
...替换为
server = "master.test.org" # 之前安装FreeIPA时设置的HOST
...
base_dn = "dc=test,dc=org"
...1.4 配置防火墙
# firewall-cmd --add-service=radius --permanent
# firewall-cmd --reload1.5 验证
1.5.1 打开调式模式
# radiusd -X
...
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address :: port 1812 as server default
Listening on acct address :: port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 36752
Ready to process requests1.5.2 测试
准备好测试用户(可以直接使用LDAP的管理员账号进行测试),另外打开一个终端。
# radtest test password123456 ipa.test.org 1812 <your_secret_in_client.conf>
Sending Access-Request Id 105 from 0.0.0.0:44729 to 192.168.1.10:1812
User-Name = 'test'
User-Password = ' password123456'
NAS-IP-Address = 192.168.1.5
NAS-Port = 1812
Message-Authenticator = 0x00
Received Access-Accept Id 105 from 192.168.1.5:1812 to 192.168.1.5:44729 length 20其中LDAP中的用户名为test,密码为password123456。
1.5.3 正式开启服务
# systemctl enable --now radiusd