INSTALANDO O IDP NA INSTITUIÇÃO CLIENTE
Adicione a chave pública NetworkRADIUS PGP :
Adicione um arquivo de preferências APT para garantir que todos os pacotes freeradius sejam instalados do repositório Network RADIUS:
Adicione a lista de fontes do APT:
Por fim, atualize o banco de dados APT e instale os pacotes:
Comandos úteis: systemctl status freeradius.service systemctl start freeradius.service systemctl stop freeradius.service Rodar o Freeradius em modo de debug no nível máximo: systemctl stop freeradius.service freeradius -fxxxxx -lstdout systemctl start freeradius.service Verificar se as configurações do Freeradius estão OK: freeradius -CX
vim /etc/freeradius/clients.conf
#
vim /etc/freeradius/proxy.conf
vim /etc/freeradius/sites-enabled/default
vim /etc/freeradius/sites-enabled/radsec
vim /etc/freeradius/mods-enabled/eap
vim /etc/freeradius/mods-enabled/eap
cd /etc/freeradius/certs
openssl dhparam -out dh -2 2048
cp seu_certificado_recebito_da_rnp.crt /etc/freeradius/certs/server.pem
cat seu_certificado_recebito_da_rnp.key /etc/freeradius/certs/server.pem
cat rnp-ca.crt /etc/freeradius/certs/ca.pem
vim /etc/freeradius/mods-available/ldap
# -*- text -*- # # $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $
# # Lightweight Directory Access Protocol (LDAP) # ldap { # Note that this needs to match the name(s) in the LDAP server # certificate, if you're using ldaps. See OpenLDAP documentation # for the behavioral semantics of specifying more than one host. # # Depending on the libldap in use, server may be an LDAP URI. # In the case of OpenLDAP this allows additional the following # additional schemes: # - ldaps:// (LDAP over SSL) # - ldapi:// (LDAP over Unix socket) # - ldapc:// (Connectionless LDAP) server = 'IP_ou_nome_do_seu_servidor_ldap'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs. port = 389
# Administrator account for searching and possibly modifying. # If using SASL + KRB5 these should be commented out. identity = 'uid=app.idpeduroam.r,ou=APLICACOES,dc=dominio,dc=local' password = Xlhtuop0
# Unless overridden in another section, the dn from which all # searches will start from. base_dn = 'dc=seu_dominio,dc=local'
# # You can run the 'ldapsearch' command line tool using the # parameters from this module's configuration. # # ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' # # That will give you the LDAP information for 'user'. # # Group membership can be queried by using the above "ldapsearch" string, # and adding "memberof" qualifiers. For ActiveDirectory, use: # # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' # # Where 'user' is the user as above, and 'group' is the group you are querying for. #
# # SASL parameters to use for admin binds # # When we're prompted by the SASL library, these control # the responses given, as well as the identity and password # directives above. # # If any directive is commented out, a NULL response will be # provided to cyrus-sasl. # # Unfortunately the only way to control Keberos here is through # environmental variables, as cyrus-sasl provides no API to # set the krb5 config directly. # # Full documentation for MIT krb5 can be found here: # # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html # # At a minimum you probably want to set KRB5_CLIENT_KTNAME. # sasl { # SASL mechanism # mech = 'PLAIN'
# SASL authorisation identity to proxy. # proxy = 'autz_id'
# SASL realm. Used for kerberos. # realm = 'example.org' }
# # Generic valuepair attribute #
# If set, this will attribute will be retrieved in addition to any # mapped attributes. # # Values should be in the format: # <radius attr> <op> <value> # # Where: # <radius attr>: Is the attribute you wish to create # with any valid list and request qualifiers. # <op>: Is any assignment operator (=, :=, +=, -=). # <value>: Is the value to parse into the new valuepair. # If the value is wrapped in double quotes it # will be xlat expanded. # valuepair_attribute = 'radiusAttribute'
# # Mapping of LDAP directory attributes to RADIUS dictionary attributes. #
# WARNING: Although this format is almost identical to the unlang # update section format, it does *NOT* mean that you can use other # unlang constructs in module configuration files. # # Configuration items are in the format: # <radius attr> <op> <ldap attr> # # Where: # <radius attr>: Is the destination RADIUS attribute # with any valid list and request qualifiers. # <op>: Is any assignment attribute (=, :=, +=, -=). # <ldap attr>: Is the attribute associated with user or # profile objects in the LDAP directory. # If the attribute name is wrapped in double # quotes it will be xlat expanded. # # Request and list qualifiers may also be placed after the 'update' # section name to set defaults destination requests/lists # for unqualified RADIUS attributes. # # Note: LDAP attribute names should be single quoted unless you want # the name value to be derived from an xlat expansion, or an # attribute ref. update { control:Password-With-Header += 'userPassword' # control:NT-Password := 'ntPassword' control:NT-Password := 'sambaNTPassword' reply:Reply-Message := 'radiusReplyMessage' reply:Tunnel-Type := 'radiusTunnelType' reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute, # the value of the LDAP attribute is parsed as a valuepair # in the same format as the 'valuepair_attribute' (above). control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' }
# Set to yes if you have eDirectory and want to use the universal # password mechanism. # edir = no
# Set to yes if you want to bind as the user after retrieving the # Cleartext-Password. This will consume the login grace, and # verify user authorization. # edir_autz = no
# Note: set_auth_type was removed in v3.x.x # # Equivalent functionality can be achieved by adding the # following "if" statement to the authorize {} section of # the virtual server, after the "ldap" module. For example: # # ... # ldap # if ((ok || updated) && User-Password && !control:Auth-Type) { # update { # control:Auth-Type := ldap # } # } # ... # # You will also need to uncomment the "Auth-Type LDAP" block in the # "authenticate" section. #
# # Name of the attribute that contains the user DN. # The default name is LDAP-UserDn. # # If you have multiple LDAP instances, you should # # ${.:instance}-LDAP-UserDn # # That change allows the modules to set their own # User DN, and to not conflict with each other. # user_dn = "LDAP-UserDn"
# # User object identification. # user { # Where to start searching in the tree for users base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough # to identify a single user object. # # For Active Directory, you should use # "samaccountname=" instead of "uid=" # # filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" # filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# Exemplo abaixo para instituicao utilizando OR para autenticar somente pelo uid ou pelo email # filter = "(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{User-Name}))" # filter = "(mail=%{User-Name})"
# For Active Directory nested group, you should comment out the previous 'filter = ...' # and use the below. Where 'group' is the group you are querying for. # # NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN. # This applies only to DN attributes. This is an extended match operator that walks # the chain of ancestry in objects all the way to the root until it finds a match. # This reveals group nesting. It is available only on domain controllers with # Windows Server 2003 SP2 or Windows Server 2008 (or above). # # See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx # # filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
# SASL parameters to use for user binds # # When we're prompted by the SASL library, these control # the responses given. # # Any of the config items below may be an attribute ref # or and expansion, so different SASL mechs, proxy IDs # and realms may be used for different users. sasl { # SASL mechanism # mech = 'PLAIN'
# SASL authorisation identity to proxy. # proxy = &User-Name
# SASL realm. Used for kerberos. # realm = 'example.org' }
# Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub'
# Server side result sorting # # A list of space delimited attributes to order the result # set by, if the filter matches multiple objects. # Only the first result in the set will be processed. # # If the attribute name is prefixed with a hyphen '-' the # sorting order will be reversed for that attribute. # # If sort_by is set, and the server does not support sorting # the search will fail. # sort_by = '-uid'
# If this is undefined, anyone is authorised. # If it is defined, the contents of this attribute # determine whether or not the user is authorised # access_attribute = 'dialupAccess'
# Control whether the presence of 'access_attribute' # allows access, or denys access. # # If 'yes', and the access_attribute is present, or # 'no' and the access_attribute is absent then access # will be allowed. # # If 'yes', and the access_attribute is absent, or # 'no' and the access_attribute is present, then # access will not be allowed. # # If the value of the access_attribute is 'false', it # will negate the result. # # e.g. # access_positive = yes # access_attribute = userAccessAllowed # # With an LDAP object containing: # userAccessAllowed: false # # Will result in the user being locked out. # access_positive = yes }
# # User membership checking. # group { # Where to start searching in the tree for groups base_dn = "${..base_dn}"
# Filter for group objects, should match all available # group objects a user might be a member of. # # If using Active Directory you are likely to need "group" # instead of "posixGroup". filter = '(objectClass=posixGroup)'
# Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub'
# Attribute that uniquely identifies a group. # Is used when converting group DNs to group # names. # name_attribute = cn
# Filter to find all group objects a user is a member of. # That is, group objects with attributes that # identify members (the inverse of membership_attribute). # # Note that this configuration references the "user_dn" # configuration defined above. # # membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute, in user objects, which contain the names # or DNs of groups a user is a member of. # # Unless a conversion between group name and group DN is # needed, there's no requirement for the group objects # referenced to actually exist. # # If the LDAP server does not support the "memberOf" # attribute (or equivalent), then you will need to use the # membership_filter option above instead. If you can't see # the memberOf attribute then it is also possible that the # LDAP bind user does not have the correct permissions to # view it. membership_attribute = 'memberOf'
# If cacheable_name or cacheable_dn are enabled, # all group information for the user will be # retrieved from the directory and written to LDAP-Group # attributes appropriate for the instance of rlm_ldap. # # For group comparisons these attributes will be checked # instead of querying the LDAP directory directly. # # This feature is intended to be used with rlm_cache. # # If you wish to use this feature, you should enable # the type that matches the format of your check items # i.e. if your groups are specified as DNs then enable # cacheable_dn else enable cacheable_name. # cacheable_name = 'no' # cacheable_dn = 'no'
# Override the normal cache attribute (<inst>-LDAP-Group or # LDAP-Group if using the default instance) and create a # custom attribute. This can help if multiple module instances # are used in fail-over. # cache_attribute = 'LDAP-Cached-Membership'
# If the group being checked is specified as a name, but # the user's groups are referenced by DN, and one of those # group DNs is invalid, the whole group check is treated as # invalid, and a negative result will be returned. # When set to 'yes', this option ignores invalid DN # references. # allow_dangling_group_ref = 'no' }
# # User profiles. RADIUS profile objects contain sets of attributes # to insert into the request. These attributes are mapped using # the same mapping scheme applied to user objects (the update section above). # profile { # Filter for RADIUS profile objects # filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute # reference. # To get old v2.2.x style behaviour, or to use the # &User-Profile attribute to specify the default profile, # set this to &control:User-Profile. # default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply # in addition to the default profile above. These are # retrieved from the user object, at the same time as the # attributes from the update section, are are applied # if authorization is successful. # attribute = 'radiusProfileDn' }
# # Bulk load clients from the directory # client { # Where to start searching in the tree for clients base_dn = "${..base_dn}"
# # Filter to match client objects # filter = '(objectClass=radiusClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children' # scope = 'sub'
# # Sets default values (not obtained from LDAP) for new client entries # template { # login = 'test' # password = 'test' # proto = tcp # require_message_authenticator = yes
# Uncomment to add a home_server with the same # attributes as the client. # coa_server { # response_window = 2.0 # } }
# # Client attribute mappings are in the format: # <client attribute> = <ldap attribute> # # The following attributes are required: # * ipaddr | ipv4addr | ipv6addr - Client IP Address. # * secret - RADIUS shared secret. # # All other attributes usually supported in a client # definition are also supported here. # # Schemas are available in doc/schemas/ldap for openldap and eDirectory # attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' # shortname = 'radiusClientShortname' # nas_type = 'radiusClientType' # virtual_server = 'radiusClientVirtualServer' # require_message_authenticator = 'radiusClientRequireMa' } }
# Load clients on startup # read_clients = no
# # Modify user object on receiving Accounting-Request #
# Useful for recording things like the last time the user logged # in, or the Acct-Session-ID for CoA/DM. # # LDAP modification items are in the format: # <ldap attr> <op> <value> # # Where: # <ldap attr>: The LDAP attribute to add modify or delete. # <op>: One of the assignment operators: # (:=, +=, -=, ++). # Note: '=' is *not* supported. # <value>: The value to add modify or delete. # # WARNING: If using the ':=' operator with a multi-valued LDAP # attribute, all instances of the attribute will be removed and # replaced with a single attribute. # NAO PRECISA COMENTAR AS LINHAS ABAIXO PARA LDAP OU AD accounting { reference = "%{tolower:type.%{Acct-Status-Type}}"
type { start { update { description := "Online at %S" } }
interim-update { update { description := "Last seen at %S" } }
stop { update { description := "Offline at %S" } } } }
# # Post-Auth can modify LDAP objects too #
post-auth { # COMENTAR O BLOCO ABAIXO POIS ELE TENTA GRAVAR NO AD/LDAP O HORARIO DE AUTENTICACAO #update { # description := "Authenticated at %S" # } }
# # LDAP connection-specific options. # # These options set timeouts, keep-alives, etc. for the connections. # options { # Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value. # dereference = 'always'
# # The following two configuration items control whether the # server follows references returned by LDAP directory. # They are mostly for Active Directory compatibility. # If you set these to 'no', then searches will likely return # 'operations error', instead of a useful result. # chase_referrals = yes rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). # Note - uncomment when using GSS-API sasl mechanism along with TLS # encryption against Active-Directory LDAP servers (this disables # sealing and signing at the GSS level as required by AD). #sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20 res_timeout = 10
# Seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. srv_timelimit = 3
# Seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028 }
# # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the 'tls_*' configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 636) connections # start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir} # certificate_file = /path/to/radius.crt # private_key_file = /path/to/radius.key # random_file = /dev/urandom
# Certificate Verification requirements. Can be: # 'never' (do not even bother trying) # 'allow' (try, but don't fail if the certificate # cannot be verified) # 'demand' (fail if the certificate does not verify) # 'hard' (similar to 'demand' but fails if TLS # cannot negotiate) # # The default is libldap's default, which varies based # on the contents of ldap.conf.
# require_cert = 'demand'
# # Minimum TLS version to accept. We STRONGLY recommend # setting this to "1.2" # # tls_min_version = "1.2" }
# As of version 3.0, the 'pool' section has replaced the # following configuration items: # # ldap_connections_number
# The connection pool is new for 3.0, and will be used in many # modules, for all kinds of connection-related activity. # # When the server is not threaded, the connection pool # limits are ignored, and only one connection is used. pool { # Connections to create during module instantiation. # If the server cannot create specified number of # connections during instantiation it will exit. # Set to 0 to allow the server to start without the # directory being available. start = ${thread[pool].start_servers}
# Minimum number of connections to keep open min = ${thread[pool].min_spare_servers}
# Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. # # Setting 'max' to LESS than the number of threads means # that some threads may starve, and you will see errors # like 'No connections available and at max connection limit' # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. max = ${thread[pool].max_servers}
# Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. This should be less than or equal to "max" above. spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed # # 0 means "infinite" uses = 0
# The number of seconds to wait after the server tries # to open a connection, and fails. During this time, # no new connections will be opened. retry_delay = 30
# The lifetime (in seconds) of the connection lifetime = 0
# Idle timeout (in seconds). A connection which is # unused for this length of time will be closed. idle_timeout = 60
# NOTE: All configuration settings are enforced. If a # connection is closed because of 'idle_timeout', # 'uses', or 'lifetime', then the total number of # connections MAY fall below 'min'. When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the 'min' connections, # or increase lifetime/idle_timeout. } }
Agora precisamos criar o link para a ativação de autenticação via LDAP ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled/ldap
Agora você pode executar o comando freeradius -CX para verificar se a configuração está OK
Se ao instalar os pacotes, se aparecer alguma tela perguntando por alguma informação, você pode pressionar Enter, não precisa responder. apt install krb5-user libpam-krb5 krb5-config libkrb5-3 libkadm5clnt-mit12 winbind systemd-timesyncd ntpdate samba samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules cifs-utils smbclient
Configuração do arquivo krb5.conf vim /etc/krb5.conf
[libdefaults] default_realm = SEU_DOMINIO.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false
[realms] SEU_DOMINIO.LOCAL = { kdc = 200.130.35.164 kdc = 200.143.193.71 admin_server = 200.130.35.164 default_domain = seu_dominio.local master_kdc = 200.130.35.164 }
[domain_realm] seu_dominio.local = SEU_DOMINIO.LOCAL .seu_dominio.local = SEU_DOMINIO.LOCAL
[login] krb4_convert = true krb4_get_tickets = false
[logging] libkrb5 = 0-/SYSLOG: default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
Para testar se a configuração acima está funcionando, voce pode utilizar o seguinte comando: kinit seulogin@SEU_DOMINIO.LOCAL
Para ver se você se autenticou pode utilizar o comando: klist
vim /etc/samba/smb.conf
[global] netbios name = idp1 security = ads realm = SEU_DOMINIO.LOCAL workgroup = SEU_DOMINIO server role = standalone server server string = EDUROAM RADIUS server invalid users = root socket options = TCP_NODELAY idmap config * : rangesize = 1000000 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 logging = syslog@1 file log level = 1 smb:4 acls:4 locking:4 log file = /var/log/samba/%m.log smbd profiling level = on pam password change = yes password server = *
#log level = 10 #debug pid = true #max log size = 0
# adicionado em 14-06-2023 kerberos method = secrets and keytab client signing = yes
winbind offline logon = yes winbind request timeout = 10
cp /etc/resolv.conf /etc/resolv.conf.bak
rm /etc/resolv.conf
vim /etc/resolv.conf
nameserver 200.130.35.164 nameserver 18.229.209.221 search SEU_DOMINIO.LOCAL domain SEU_DOMINIO.LOCAL
Ingressando a máquina no dominio do local net ads join -I ip_ad -U user_ad
Para saber se a maquina ingressou com sucesso: net ads testjoin
Verificar o conteúdo do arquivo mschap vim /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" }
Configurando o arquivo ntlm_auth vim /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=SEU_COMINIO.LOCAL --username=%{mschap:User-Name} --password=%{User-Password}" }
/etc/init.d/freeradius stop ; /etc/init.d/smbd stop ; /etc/init.d/nmbd stop ; /etc/init.d/winbind stop /etc/init.d/smbd start ; /etc/init.d/nmbd start ; /etc/init.d/winbind start ; /etc/init.d/freeradius start
radtest login_do_usuario_do_ad@seu_dominio.br senha_do_usuario 127.0.0.1 0 radsec