Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to use FreeRadius + LDAP to achieve verification function. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

-part of LDAP-

First of all, of course, it is necessary to have a complete LDAP system that can provide services. I won't say much about how to set up a guide for my younger brother.

Take my younger brother's environment as an example, my user ldif looks like this: code:

# extended LDIF

#

# LDAPv3

# base

With scope sub

# filter: uid=radiususer

# requesting: ALL

#

# radiususer, People, Study-area.org

Dn: uid=radiususer,ou=People,o=Study-area.org

Uid: radiususer

Cn: radiususer

ObjectClass: account

ObjectClass: posixAccount

ObjectClass: top

UserPassword:: e2NyeXB0fU1EdTdVYlVZalVGQ0k =

UidNumber: 10070

GidNumber: 10002

HomeDirectory: / home/radiususer

LoginShell: / bin/bash

It is important to pay special attention at this point that I defined more than one objectClass before, which caused the system to fail to authenticate. The objectClass is as follows: code:

ObjectClass: shadowAccount

This will cause the following error, which can be found in / var/log/radius/radius.log: code:

Fri Sep 1 09:03:16 2006: Auth: rlm_unix: [radiususer]: invalid password

-radius server part-

Basically, if you are in CentOS 4.3, simply install it with the following command: code:

Yum install freeradius

I previously installed on Fedora Core 4 and found that an important lib,rlm_ldap.so was missing, so it's best to check it after you install FreeRadius: code:

Find /-name rlm_ldap.so

After confirming that the above environment and function database are equipped, we then modify the following parts:

In the radius.conf part of the introduction reply:

Code:

Ldap {

Server = "127.0.0.1"

Identity = "cn=admin,o=My Org,c=UA"

Password = mypass

Basedn = "ostensible people recorder, oily StudyMuarea.org"

Filter = "(uid=% {Stripped-User-Name:-% {User-Name}})"

Access_attr = "people"

Dictionary_mapping = ${raddbdir} / ldap.attrmap

Ldap_connections_number = 5

Password_attribute = userPassword

}

The above settings should be very clear, but I won't say much about it.

In the authorize area, open the LDAP certificate: code:

Authorize {

Ldap

}

Code:

Authenticate {

Auth-Type LDAP {

Ldap

}

}

Note that the above two areas, the LDAP function default is related, must be opened by themselves!

Clients.conf introduction reply:

Next, in the clients.conf settings, find a place to add the settings for the recognition submachine (the following contents are examples of the original settings, which are used for explanation and explanation): code:

Client 192.168.0.0/16 {

Secret = testing123-2

Shortname = private-network-2

}

In this area, I have defined that in the whole 192.168.x.x network, the password used for submachine authentication is testing123-2, and the call used to describe it is private-network-2. Among them, the password is very important, because and so on will be used.

Proxy.conf reference: in addition, you need to configure proxy.conf to correspond to the part of the "domain" account: code:

Realm NULL {

Type = radius

Authhost = LOCAL

Accthost = LOCAL

Nostrip

}

Realm study-area.org {

Type = radius

Authhost = LOCAL

Accthost = LOCAL

}

Here, I set up two parts. One is that the account name does not have a "domain", that is, an account such as radiususer; the other, the part of study-area.org, is the account that the user enters, which looks like this [email] radius@study- area.org [/ email].

When these settings are complete, we start the FreeRadius service, and then use the following command to check whether we can complete the password authentication function through ldap: code:

Radtest username userPassword Radius-Server_IP 0 secret-password

It is important to note that the 0 after Radius-Server_IP is a number; the subsequent secret-password is the password we set in clients.conf for submachine authentication. Many of the articles I found on the Internet have wrong examples in this section.

If everything goes well, you will get the following message: code:

# radtest radiususer radius-password localhost 0 testing123-2

Sending Access-Request of id 53 to 127.0.0.1:1812

User-Name = "radiususer"

User-Password = "radius-password"

NAS-IP-Address = machine-name

NAS-Port = 0

Rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=53, length=20

If the password used for submachine authentication is incorrect, the following information will be entered: code:

Radtest radiususer radius-password localhost 0 testing123-2

Sending Access-Request of id 6 to 127.0.0.1:1812

User-Name = "radiususer"

User-Password = "radius-password"

NAS-IP-Address = machine-name

NAS-Port = 0

Re-sending Access-Request of id 6 to 127.0.0.1:1812

User-Name = "radiususer"

User-Password = "200px27347315pz222Y314U026434333"

NAS-IP-Address = machine-name

NAS-Port = 0

Rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=6, length=20

Rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid signature 1812 (err=2)! (Shared secret is incorrect.)

On "how to use FreeRadius + LDAP to achieve verification function" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.