• Radius+OpenLdap+USG防火墙认证


    1.1、安装OpenLdap

    # 在数据目录创建ldap文件存放ldap的配置文件
    mkdir -p /data/ldap/{data,conf}
    
    docker run -p 389:389 -p 636:636 \
    --name ldap \
    --env LDAP_TLS_VERIFY_CLIENT="never" \
    --env LDAP_ORGANISATTON="xxxx" \
    --env LDAP_DOMAIN="xxxx.com" \
    --env LDAP_ADMIN_PASSWORD="xxxx" \
    -v /data/ldap/data:/var/lib/ldap \
    -v /data/ldap/conf:/etc/ldap/slapd.d \
    --detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap:v1.2.5
    

    参数说明

    • LDAP_TLS_VERIFY_CLIENT:是否需要TLS认证
    • LDAP_ORGANISATTON:配置LDAP组织者
    • LDAP_DOMAIN:配置LDAP域
    • LDAP_ADMIN_PASSWORD:配置LDAP密码
    • 默认登录用户名:admin

    1.2、安装可视化操作界面

    docker run \
    -d --privileged \
    -p 18004:80 \
    --name phpldapadmin \
    --env PHPLDAPADMIN_HTTPS=false \
    --env PHPLDAPADMIN_LDAP_HOSTS=10.30.1.4 \
    --detach docker.e6gpshk.com:8443/yunwei/e6yun-openldap-web:v1.2.5
    

    参数说明

    • PHPLDAPADMIN_HTTPS:是否使用https
    • PHPLDAPADMIN_LDAP_HOSTS:填写主机地址

    2.1、安装radius

    将下面yml保存至radius.yml文件

    version: "3"
    services:
      radius:
        image: freeradius/freeradius-server:3.2.0-alpine
        container_name: radius
        restart: always
        ports:
          - '1812:1812/udp'
          - '1813:1813/udp'
          - '1833:1833/udp'
    
    docker-compose -f ./radius.yml up -d
    

    2.2、配置ldap

    # 将容器中的ldap配置文件复制出来
    docker cp radius:/etc/raddb/mods-available/ldap ./
    

    将配置修改为如下配置

    ldap {
    
    	server = 'ldap.e6gpshk.com'
    	port = 389
    	identity = 'cn=admin,dc=xxxx,dc=com'
    	password = xxxx
    	base_dn = 'ou=People,dc=xxxx,dc=com'
    	sasl {
    	}
    	update {
    		control:Password-With-Header	+= 'userPassword'
    		control:			+= 'radiusControlAttribute'
    		request:			+= 'radiusRequestAttribute'
    		reply:				+= 'radiusReplyAttribute'
    	}
    	user_dn = "LDAP-UserDn"
    	user {
    		base_dn = "${..base_dn}"
    		filter = "(&(objectClass=inetOrgPerson)(memberOf=cn=wifi,ou=Group,dc=e6yun,dc=com)(!(gidNumber=503))(cn=%{%{Stripped-User-Name}:-%{User-Name}}))"
    		sasl {
    		}
    	}
    	group {
    		base_dn = "${..base_dn}"
    		filter = '(objectClass=posixGroup)'
    		membership_attribute = 'memberOf'
    	}
    	profile {
    	}
    	client {
    		base_dn = "${..base_dn}"
    		filter = '(objectClass=radiusClient)'
    		template {
    		}
    		attribute {
    			ipaddr				= 'radiusClientIdentifier'
    			secret				= 'radiusClientSecret'
    		}
    	}
    	accounting {
    		reference = "%{tolower:type.%{Acct-Status-Type}}"
    		type {
    			start {
    				update {
    					description := "Online at %S"
    				}
    			}
    			interim-update {
    				update {
    					description := "Last seen at %S"
    				}
    			}
    			stop {
    				update {
    					description := "Offline at %S"
    				}
    			}
    		}
    	}
    	post-auth {
    		update {
    			description := "Authenticated at %S"
    		}
    	}
    
    
    # 将修改好的复制回容器
    docker cp ./ldap  radius:/etc/raddb/mods-available/ldap
    
    # 创建 site_ldap文件
    vim site_ldap
    
    server site_ldap { 
        listen { 
             ipaddr = 0.0.0.0
             port = 1833
             type = auth
        } 
        authorize {
             update {
                 control:Auth-Type := ldap
             }
        }
        authenticate {
            Auth-Type ldap {
                ldap
            }
        }
       
        post-auth {
            Post-Auth-Type Reject {
            }
        }
    }
    
    # 将文件复制到容器/etc/raddb/sites-available/ldap
    docker cp ./site-ldap radius:/etc/raddb/sites-available/ldap
    
    # 复制/etc/raddb/clients.conf 文件到本地进行修改
    docker cp radius:/etc/raddb/clients.conf ./clients.conf
    
    client localhost {
            ipaddr = 0.0.0.0/0  # 主要是修改这里
            proto = *
    
            secret = qqqqqqqq
    
            require_message_authenticator = no
    
            limit {
                    max_connections = 16
    
    
                    lifetime = 0
    
                    idle_timeout = 30
            }
    }
    
    client localhost_ipv6 {
            ipv6addr        = ::1
            secret          = testing123
    }
    
    # 将修改好的文件复制回容器
    docker cp ./clients.conf radius:/etc/raddb/clients.conf
    
    # 创建软连接启用ldap插件
    ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/
    ln -s /etc/raddb/sites-available/ldap /etc/raddb/sites-enabled/
    # 重启容器
    docker restart radius
    
    # 到这里已经配置好了
    

    接下来配置防火墙radius服务器,使用openldap导入用户

  • 相关阅读:
    20190710-汉诺塔算法
    20190705-Python数据驱动之DDT
    20190621-N皇后
    还在为Excel合并单元格导致的各种问题烦恼吗?这里一起解决
    Excel基础:开始菜单之对齐方式,那些被遗忘的实用功能
    Excel中身份证号码如何分段显示,难倒小编,有什么好方法吗?
    制作这样的Excel注水图表,让老板另眼相看,坐等升职加薪
    Excel高手都会的Shift快捷键7个用法,让工作效率翻倍
    Excel答粉丝问:批量将单元格内容转为批注
    Excel基础:开始菜单之字体的华丽转身
  • 原文地址:https://www.cnblogs.com/lanheader/p/16304222.html
Copyright © 2020-2023  润新知