Home
Random
Recent changes
Special pages
Community portal
Preferences
About Commons
Disclaimers
Commons
Search
User menu
Talk
Contributions
Create account
Log in
Editing
FreedomTunnel/DeploymentNotes
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=FreedomTunnelDeploymentGuide= Keeping notes on how things were deployed. This allows conversion to chef recipe later. ==Server setup:== 1) http://www.rjsystems.nl/en/2100-d6-openldap-provider.php << Basic server setup. 2)run dpkg-reconfigure slapd) to get the basic functionality setup. 3) Attempt to add schemas: 581 ldapadd -x -D cn=admin,cn=config,dc=corp,dc=thefnf,dc=net -W -f openldap/goserver.ldif will fail. Fix is at: http://www.saruman.biz/wiki/index.php/OpenLDAP#Adding_or_modifying_the_cn.3Dconfig_admin_password ==GOSA Setup== Pretty straight forward LAMP deployment. ===GOSA LDAP bits=== <pre> 464 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 466 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 467 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gofon.ldif 468 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 469 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosystem.ldif 470 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goto.ldif 475 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 476 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/goserver.ldif 480 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 482 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 484 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 487 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 494 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif 497 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/samba3.ldif 498 ldapadd -QY EXTERNAL -H ldapi:/// -f openldap/gosa-samba3.ldif </pre> = Other Pasted Notes = == Centralized authentication == Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it. What do I have that is capable of talking to these back ends? * All Linux boxes (use Kerberos/OpenLDAP for logins) * All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins) * Web apps (most support LDAP directly, some I use the kerberos module and pam auth) * Cisco gear (FreeRadius) * Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend) == Components == * LDAP (this is the backend to everything else) * 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials * Kerberos (this is used for workstation logins) * FreeRadius (this is used by cisco gear and for wireless user authentication) * Clients authenticating All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider). == LDAP == LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else. Followed HOWTO [http://www.linuxmail.info/openldap-setup-howto/ here]: yum install openldap-servers openldap-clients base.ldif: dn: dc=knownelement,dc=com dc: knownelement objectClass: domain users.ldif dn: ou=People,dc=knownelement,dc=com ou: People objectClass: organizationalUnit dn: uid=charles,ou=People,dc=knownelement,dc=com uid: charles cn: Wyble Charles displayName: Charles Wyble givenName: Charles sn: Wyble objectClass: inetOrgPerson userPassword: password mail: charles@knownelement.com ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif == Kerberos == * http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html * http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html == FreeRADIUS == == 802.1x == == Clients == === Web applications === * Tattler / Memex (drupal based applications) * Thinkup * Piwigo * OpenDocMan * Status.net * Wordpress * Redmine * Mediawiki * EyeOS * Thunderbird === Network gear === * Cisco switches/routers: one howto for FreeRADIUS/LDAP and cisco gear is [http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html here] * OpenWRT wireless gear === Workstations === * Windows * Linux ** Debian ** RedHat == Source material == Here are links to various howtos I referenced to put this wiki page together. http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS http://www.eduroamus.org/node/45 http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant Copy/paste of relevant bits Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf: modules { krb5 { keytab = ${confdir}/radius.keytab service_principal = radius/radius.example.com } ldap { cache = no server = "ldap" identity = "uid=freeradius,ou=Accounts,dc=example,dc=com" password = secret basedn = "dc=com" filter = "(krbPrincipalName=%{User-Name})" base_filter = "(objectClass=radiusprofile)" tls { start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" } default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com" profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" #groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # set_auth_type = yes } } This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames). Radius / krb integration http://wiki.freeradius.org/Rlm_krb5 http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources === 802.1x/RADIUS/WiFi Setup === The whole kit and kaboodle from the looks of things: * http://www.readmespot.com/question/f/47815/setting-up-radius---ldap-for-wpa2-on-ubuntu * http://vuksan.com/linux/dot1x/802-1x-LDAP.html * http://vuksan.com/linux/LDAP_authentication_under_Linux.html * http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html * http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius
Summary:
Please note that all contributions to Commons may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Commons:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)