Versão avaliada: Fedora 42
# vi mods-enabled/ldap
....
ldap {
....
server = 'localhost'
....
port = 636
....
identity = "uid=UsuarioConsulta,cn=users,cn=accounts,dc=local,dc=domain"
password = <SENHA>
....
base_dn = 'dc=local,dc=domain'
....
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
....
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
....
user {
# Where to start searching in the tree for users
base_dn = "${..base_dn}"
....
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
filter = "(&(uid=%{User-Name})(|(memberOf=cn=g_allow_internet_wifimobi,cn=groups,cn=accounts,dc=local,dc=domain)(memberOf=cn=g_allow_internet_wificorp,cn=groups,cn=accounts,dc=local,dc=domain)))"
# vi sites-available/default
....
authorize {
....
ldap
....
if ((ok || updated) && User-Password && !control:Auth-Type) {
update control {
&Auth-Type := ldap
}
}
....
authenticate {
....
Auth-Type LDAP {
ldap
}
# dnf install ntlm_auth
# vi mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
#program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
program = "/usr/bin/ntlm_auth --request-nt-key --domain=LOCAL.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
# vi mods-enabled/mschap
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
/var/lib/samba/winbindd_privileged
# usermod -aG wbpriv radiusd
Reinicie o serviço.
# systemctl restart radiusd.service
# radtest tiochico Senha2025 localhost 1812 testing123
Sent Access-Request Id 144 from 0.0.0.0:47651 to 127.0.0.1:1812 length 78
User-Name = "tiochico"
User-Password = "Senha2025"
NAS-IP-Address = 10.1.10.251
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "Senha2025"
Received Access-Accept Id 144 from 127.0.0.1:1812 to 127.0.0.1:47651 length 38
Message-Authenticator = 0x3561382d4071499477f4afc0daa92368
Filtro para grupo e multiplos grupos.
# vi mods-enabled/ldap
....
user {
base_dn = "${..base_dn}"
filter = "(&(uid=%{User-Name})(memberOf=cn=g_allow_internet_wifimobi,cn=groups,cn=accounts,dc=local,dc=domain))"
Link: 1 / 2 / 3 / 4 / 5
# cd /etc/raddb/mods-available
# ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap
# mv ldap ldap.Default
# egrep -v "^\s*(#|$)" ldap.Default > ldap
# vi mods-enabled/ldap
....
ldap {
server = 'localhost'
port = 636
identity = "uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
password = Senha2025
base_dn = 'dc=local,dc=domain'
....
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
....
tls {
# start_tls = yes
....
#identity = "krbprincipalname=radius/hl251.local.domain@LOCAL.DOMAIN,uid=binddnldap,cn=users,cn=accounts,dc=local,dc=domain"
# systemctl restart radiusd.service
# radtest <UserLDAP> <SenhaLDAP> localhost 1812 testing123
Sent Access-Request Id 17 from 0.0.0.0:48678 to 127.0.0.1:1812 length 78
User-Name = "UserLDAP"
User-Password = "SenhaLDAP"
NAS-IP-Address = 10.1.10.251
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "SenhaLDAP"
Received Access-Reject Id 17 from 127.0.0.1:1812 to 127.0.0.1:48678 length 38
Message-Authenticator = 0xcfb3bc91a8fa54b7536d0c8d33f8d11e
(0) -: Expected Access-Accept got Access-Reject
Nota: Valide se o link simbólico esta criado no diretório mods-enable para o serviço LDAP.
# Assuming that HOSTNAME is enrolled to IPA realm already,
# run the following on HOSTNAME where RADIUS server will be deployed
# In FreeIPA 4.6+ host principal has permissions to create own services
kinit -k
ipa service-add 'radius/HOSTNAME'
# create keytab for radius user
ipa-getkeytab -p 'radius/HOSTNAME' -k /etc/raddb/radius.keytab
chown root:radiusd /etc/raddb/radius.keytab
chmod 640 /etc/raddb/radius.keytab
# make radius use the keytab for SASL GSSAPI
mkdir -p /etc/systemd/system/radiusd.service.d
cat > /etc/systemd/system/radiusd.service.d/krb5_keytab.conf << EOF
[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/raddb/radius.keytab
ExecStartPre=-/usr/bin/kdestroy -A
ExecStopPost=-/usr/bin/kdestroy -A
EOF
systemctl daemon-reload
edit /etc/raddb/mods-enabled/ldap
ldap server = 'LDAP HOSTNAME'
ldap base_dn = 'cn=accounts,dc=example,dc=org'
ldpa sasl mech = 'GSSAPI'
ldpa sasl realm = 'YOUR REALM'
ldap sasl update control:NT-Password := 'ipaNTHash'
# How to request certificates from IPA server for RADIUS
mv /etc/raddb/certs /etc/raddb/certs.bak
mkdir /etc/raddb/certs
openssl dhparam 2048 -out /etc/raddb/certs/dh
ipa-getcert request -w -k /etc/pki/tls/private/radius.key -f /etc/pki/tls/certs/radius.pem -T caIPAserviceCert -C 'systemctl restart radiusd.service' -N HOSTNAME -D HOSTNAME -K radius/HOSTNAME
if NT hashes will not work against FreeIPA, what should I use in place of:
ldap sasl update control:NT-Password := 'ipaNTHash'
in the /etc/raddb/mods-enabled/ldap file?
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>