On Thu, 17 Dec 2015 13:41:48 -0500
Omar Isalgué Begué <informat...@enpa.gtm.minag.cu> wrote:
> alguien tiene un manual o conoce de alguna guia para configurar
> freeradius con autentificacion LDAP, puede ser en cualkier distro
>
> Salu2s
>
Uso Proxmox, containers debian, habilitas el modulo ldap, editas ese file que
esta dentro de /modules y le pones todo lo concerniente a la conexion a tu ldap
incluyendo un filtro como ves aca:
root@wifi:/admin/fr/modules# cat ldap
ldap {
server = "ldap://ldap.tu.dominio.cu:389/";
identity = "cn=vmail,dc=tu,dc=dominio,dc=cu"
password = "yb1jztQexcNOHg1bCc7G1BKvixFwiL"
basedn = "o=domains,dc=tu,dc=dominio,dc=cu"
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(ServWifi=1)(accountStatus=active))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = yes
password_header = "{clear}"
password_attribute = userPassword
Luego en ese archivito ldap.attrmap mapeas o mas bien matcheas los atributos de
tu ldap hacia los del freeradius:
root@wifi:/admin/fr# cat ldap.attrmap
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem NT-Password sambaNTPassword
Luego: root@wifi:/admin/fr# cat radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
# msg_goodpass = ""
# msg_badpass = ""
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
}
instantiate {
exec
expr
# daily
expiration
logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
Lo otro que te queda es agregar los clientes en clients.conf:
root@wifi:/admin/fr# cat clients.conf
#AP en el 4to piso - Laboratorio de Quimica
client 172.16.8.2 {
secret = passwd1
shortname = QUIMICA
}
#AP ahora mismo esta en la Radiobase
client 172.16.8.3 {
secret = passwd2
shortname = RADIOBASE
}
#AP ahora mismo en dpto Infantil
client 172.16.8.4 {
secret = passwd3
shortname = INFANTIL
}
Lo hice rapido y de corre corre, dime si te pincha.. buena suerte
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l
