This shows you the differences between two versions of the page.
| — |
cs:spravce:pripojovani:radius:freeradius3:edirectory [2016/09/18 12:56] (current) Jan Tomášek vytvořeno |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Napojení freeRADIUSu v3 na eDirectory server ====== | ||
| + | Freeradius podporuje eDirectory Universal Password, je však nutné zkompilovat freeradius s volbou ''--with-edir'' a eDirectory patřičně nakonfigurovat. | ||
| + | V souboru ''debian/rules'' ve zdrojových kódech přidejte ''./configure'' volbu ''--with-edir'': | ||
| + | <xterm> | ||
| + | ./configure $(confflags) \ | ||
| + | --config-cache \ | ||
| + | .. | ||
| + | --with-edir \ | ||
| + | --with-raddbdir=$(raddbdir) \ | ||
| + | .. | ||
| + | </xterm> | ||
| + | |||
| + | Ve stejném adresáři spusťte příkaz na vygenerování deb balíčků: | ||
| + | <xterm> | ||
| + | fakeroot dpkg-buildpackage -b -uc | ||
| + | </xterm> | ||
| + | |||
| + | Nainstalujte potřebné balíčky. | ||
| + | |||
| + | Soubor ''/etc/freeradius/sites-available/default'' by ldap volby měl mít nastaven takto: | ||
| + | <xterm> | ||
| + | authorize { | ||
| + | .. | ||
| + | ldap | ||
| + | .. | ||
| + | } | ||
| + | |||
| + | post-auth { | ||
| + | .. | ||
| + | ldap | ||
| + | .. | ||
| + | Post-Auth-Type REJECT { | ||
| + | -sql | ||
| + | ldap | ||
| + | eap | ||
| + | remove_reply_message_if_eap | ||
| + | } | ||
| + | } | ||
| + | </xterm> | ||
| + | |||
| + | Soubor ''/etc/freeradius/sites-available/inner-tunnel'' by ldap volby měl mít nastaven takto: | ||
| + | <xterm> | ||
| + | authorize { | ||
| + | .. | ||
| + | ldap | ||
| + | .. | ||
| + | } | ||
| + | |||
| + | post-auth { | ||
| + | .. | ||
| + | ldap | ||
| + | .. | ||
| + | Post-Auth-Type REJECT { | ||
| + | -sql | ||
| + | ldap | ||
| + | #attr_filter.access_reject # musi byt zakomentovan | ||
| + | } | ||
| + | } | ||
| + | </xterm> | ||
| + | |||
| + | Nastavení modulu ldap v souboru ''/etc/freeradius/mods-available/ldap'': | ||
| + | <xterm> | ||
| + | server = "ldaps:/ /<server>.<domena>.cz" # mezera mezi lomitky v ldaps uri byt nema, pridana kvuli chybe xterm pluginu do dokuwiki | ||
| + | identity = "cn=<proxy_ucet>,ou=is,o=<organizace>" # ucet s opravnenim cist Universal Password | ||
| + | password = <proxy_heslo> # heslo k proxy uctu | ||
| + | base_dn = "ou=idm,o=<organizace>" # Base DN, kde hledat uzivatele | ||
| + | user { | ||
| + | .. | ||
| + | filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" # ve filtru musi byt cn (misto bezneho uid) | ||
| + | .. | ||
| + | } | ||
| + | edir = yes | ||
| + | edir_autz = yes | ||
| + | |||
| + | tls { | ||
| + | .. | ||
| + | ca_file = <ca_ldaps.pem> | ||
| + | require_cert = "demand" | ||
| + | .. | ||
| + | } | ||
| + | </xterm> | ||
CESNET, z. s. p. o.
Zikova 4, 16000 Praha 6
Tel: +420 224 352 994
Fax: +420 224 320 269
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
Fax: +420 224 313 211
support@cesnet.cz