Outils pour utilisateurs

Outils du site


admin:services:wififederez:configfederez

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision
Révision précédente
admin:services:wififederez:configfederez [2017/11/24 03:30] chiracadmin:services:wififederez:configfederez [2022/02/09 17:51] (Version actuelle) chapeau
Ligne 45: Ligne 45:
 # FEDEREZ - Dodecagon # FEDEREZ - Dodecagon
 client dodecagon { client dodecagon {
-         secret         vQKWKyEm0EdU +         secret         plop 
-         ipaddr         plop +         ipaddr         62.210.81.204
 } }
  
Ligne 60: Ligne 60:
  
 On met le même secret pour une asso. Il est nécessaire d'enregistrer par ip. On met le même secret pour une asso. Il est nécessaire d'enregistrer par ip.
- 
 ===== Configuration des proxy ===== ===== Configuration des proxy =====
  
Ligne 200: Ligne 199:
         }         }
  
-        if ("%{User-Name}" =~ /@(.*)rezogif$/) { 
-            update control { 
-                Proxy-To-Realm := 'REZOGif' 
-            } 
-        } 
  
-        if ("%{User-Name}" =~ /@(.*)larez.fr$/) {+        if ("%{User-Name}" =~ /@(.*)viarezo$/) {
             update control {             update control {
-                Proxy-To-Realm := 'REZOGif'+                Proxy-To-Realm := 'VIAREZO'
             }             }
         }         }
  
-        if ("%{User-Name}" =~ /@(.*)via(.*)$/) {+        if ("%{User-Name}" =~ /@(.*)larez(.*)$/) {
             update control {             update control {
-                Proxy-To-Realm := 'VIA'+                Proxy-To-Realm := 'VIAREZO'
             }             }
         }         }
Ligne 252: Ligne 246:
 </code> </code>
  
 +On peut décommenter la ligne qui va bien pour effacer les paramètres post_proxy au passage, en effet, il n'y a pas de raison de transmettre des informations tels que vlan id.
 +
 +===== Config de l'auth FedeRez =====
 +
 +On aurait très bien pu s'arréter ici, mais on souhaite permettre aux users FedeRez de s'auth avec un compte FedeRez. Ces comptes sont stockés dans le ldap.
 +
 +Par conséquent, on rempli le mods-available/ldap. En particulier, attention à bien faire du tls entre radius et ldap si le serveur ldap ou replica n'est pas sur localhost.
 +
 +<code>
 +ldap {
 + server = 'localhost'
 +
 + #  Administrator account for searching and possibly modifying.
 + #  If using SASL + KRB5 these should be commented out.
 + identity = 'cn=federezwifi,ou=service-users,dc=federez,dc=net'
 + password = plop
 +
 + #  Unless overridden in another section, the dn from which all
 + #  searches will start from.
 + base_dn = 'cn=Utilisateurs,dc=federez,dc=net'
 +
 + sasl {
 + # SASL mechanism
 +# mech = 'PLAIN'
 +
 + # SASL authorisation identity to proxy.
 +# proxy = 'autz_id'
 +
 + # SASL realm. Used for kerberos.
 +# realm = 'example.org'
 + }
 + #  WARNING: Although this format is almost identical to the unlang
 + #  update section format, it does *NOT* mean that you can use other
 + #  unlang constructs in module configuration files.
 + #
 + #  Configuration items are in the format:
 + # <radius attr> <op> <ldap attr>
 + #
 + #  Request and list qualifiers may also be placed after the 'update'
 + #  section name to set defaults destination requests/lists
 + #  for unqualified RADIUS attributes.
 + #
 + #  Note: LDAP attribute names should be single quoted unless you want
 + #  the name value to be derived from an xlat expansion, or an
 + #  attribute ref.
 + update {
 + control:Password-With-Header += 'userPassword'
 + control:NT-Password := 'sambaNTPassword'
 +# reply:Reply-Message := 'radiusReplyMessage'
 +# reply:Tunnel-Type := 'radiusTunnelType'
 +# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
 +# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
 +
 + #  Where only a list is specified as the RADIUS attribute,
 + #  the value of the LDAP attribute is parsed as a valuepair
 + #  in the same format as the 'valuepair_attribute' (above).
 + control: += 'radiusControlAttribute'
 + request: += 'radiusRequestAttribute'
 + reply: += 'radiusReplyAttribute'
 + }
 + user {
 + #  Where to start searching in the tree for users
 + base_dn = "${..base_dn}"
 +
 + #  Filter for user objects, should be specific enough
 + #  to identify a single user object.
 + filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=sambaSamAccount))"
 +
 + #  SASL parameters to use for user binds
 + sasl {
 + }
 +
 + #  Search scope, may be 'base', 'one', sub' or 'children'
 +# scope = 'sub'
 +
 + #  Server side result sorting
 +# sort_by = '-uid'
 +
 + #  If this is undefined, anyone is authorised.
 + #  If it is defined, the contents of this attribute
 + #  determine whether or not the user is authorised
 +# access_attribute = 'dialupAccess'
 +
 +# access_positive = yes
 + }
 +
 + #
 + #  User membership checking.
 + #
 + group {
 + #  Where to start searching in the tree for groups
 + base_dn = "${..base_dn}"
 +
 + #  Filter for group objects, should match all available
 + #  group objects a user might be a member of.
 + filter = '(objectClass=posixGroup)'
 +
 + # Search scope, may be 'base', 'one', sub' or 'children'
 +# scope = 'sub'
 +
 + #  Attribute that uniquely identifies a group.
 + #  Is used when converting group DNs to group
 + #  names.
 +# name_attribute = cn
 +
 + #  Filter to find group objects a user is a member of.
 + #  That is, group objects with attributes that
 + #  identify members (the inverse of membership_attribute).
 +# membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
 +
 + #  The attribute in user objects which contain the names
 + #  or DNs of groups a user is a member of.
 + #
 + #  Unless a conversion between group name and group DN is
 + #  needed, there's no requirement for the group objects
 + #  referenced to actually exist.
 + membership_attribute = 'memberOf'
 +
 + #  Override the normal cache attribute (<inst>-LDAP-Group or
 + #  LDAP-Group if using the default instance) and create a
 + #  custom attribute.  This can help if multiple module instances
 + #  are used in fail-over.
 +# cache_attribute = 'LDAP-Cached-Membership'
 + }
 +
 + profile {
 + }
 +
 + client {
 + #   Where to start searching in the tree for clients
 + base_dn = "${..base_dn}"
 +
 + #
 + #  Filter to match client objects
 + #
 + filter = '(objectClass=radiusClient)'
 +
 + #
 + #  Sets default values (not obtained from LDAP) for new client entries
 + #
 + template {
 + }
 +
 + attribute {
 + ipaddr = 'radiusClientIdentifier'
 + secret = 'radiusClientSecret'
 + }
 + }
 +
 + #  Load clients on startup
 +# read_clients = no
 +
 + accounting {
 + reference = "%{tolower:type.%{Acct-Status-Type}}"
 +
 + type {
 + start {
 + update {
 + description := "Online at %S"
 + }
 + }
 +
 + interim-update {
 + update {
 + description := "Last seen at %S"
 + }
 + }
 +
 + stop {
 + update {
 + description := "Offline at %S"
 + }
 + }
 + }
 + }
 +
 + #
 + #  Post-Auth can modify LDAP objects too
 + #
 + post-auth {
 + update {
 + description := "Authenticated at %S"
 + }
 + }
 +
 + #
 + #  LDAP connection-specific options.
 + #
 + #  These options set timeouts, keep-alives, etc. for the connections.
 + #
 + options {
 + #  Control under which situations aliases are followed.
 + #  May be one of 'never', 'searching', 'finding' or 'always'
 + #  default: libldap's default which is usually 'never'.
 + #
 + #  LDAP_OPT_DEREF is set to this value.
 +# dereference = 'always'
 +
 + #
 + #  The following two configuration items control whether the
 + #  server follows references returned by LDAP directory.
 + #  They are  mostly for Active Directory compatibility.
 + #  If you set these to 'no', then searches will likely return
 + #  'operations error', instead of a useful result.
 + #
 + chase_referrals = yes
 + rebind = yes
 +
 + #  Seconds to wait for LDAP query to finish. default: 20
 + res_timeout = 10
 +
 + #  Seconds LDAP server has to process the query (server-side
 + #  time limit). default: 20
 + #
 + #  LDAP_OPT_TIMELIMIT is set to this value.
 + srv_timelimit = 3
 +
 + #  Seconds to wait for response of the server. (network
 + #  failures) default: 10
 + #
 + #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
 + net_timeout = 1
 +
 + #  LDAP_OPT_X_KEEPALIVE_IDLE
 + idle = 60
 +
 + #  LDAP_OPT_X_KEEPALIVE_PROBES
 + probes = 3
 +
 + #  LDAP_OPT_X_KEEPALIVE_INTERVAL
 + interval = 3
 +
 + #  ldap_debug: debug flag for LDAP SDK
 + #  (see OpenLDAP documentation).  Set this to enable
 + #  huge amounts of LDAP debugging on the screen.
 + #  You should only use this if you are an LDAP expert.
 + #
 + # default: 0x0000 (no debugging messages)
 + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
 + ldap_debug = 0x0028
 + }
 +
 + tls {
 +
 +# start_tls = yes
 +
 +# ca_file = ${certdir}/cacert.pem
 +
 +# ca_path = ${certdir}
 +# certificate_file = /path/to/radius.crt
 +# private_key_file = /path/to/radius.key
 +# random_file = /dev/urandom
 +
 +# require_cert = 'demand'
 + }
 +
 + #  As of version 3.0, the 'pool' section has replaced the
 + #  following configuration items:
 + #
 + #  When the server is not threaded, the connection pool
 + #  limits are ignored, and only one connection is used.
 + pool {
 + #  Connections to create during module instantiation.
 + #  If the server cannot create specified number of
 + #  connections during instantiation it will exit.
 + #  Set to 0 to allow the server to start without the
 + #  directory being available.
 + start = ${thread[pool].start_servers}
 +
 + #  Minimum number of connections to keep open
 + min = ${thread[pool].min_spare_servers}
 +
 + max = ${thread[pool].max_servers}
 +
 + #  Spare connections to be left idle
 + #
 + #  NOTE: Idle connections WILL be closed if "idle_timeout"
 + #  is set.  This should be less than or equal to "max" above.
 + spare = ${thread[pool].max_spare_servers}
 +
 + #  Number of uses before the connection is closed
 + #
 + #  0 means "infinite"
 + uses = 0
 +
 + #  The number of seconds to wait after the server tries
 + #  to open a connection, and fails.  During this time,
 + #  no new connections will be opened.
 + retry_delay = 30
 +
 + #  The lifetime (in seconds) of the connection
 + lifetime = 0
 +
 + #  Idle timeout (in seconds).  A connection which is
 + #  unused for this length of time will be closed.
 + idle_timeout = 60
 + }
 +}
 +</code>
 +
 +On active ensuite le module ldap en faisant un lien symbolique dans mods-enabled. On vérifie que dans les sites il est bien fait référence à ldap (non commenté).
 +
 +
 +==== Configuration des certificats ====
 +
 +Afin d'éviter d'utiliser des certificats auto-signés, on peut utiliser ceux générés par Let's Encrypt. Pour celà, on commence par créer des liens symboliques dans le dossier certs :
 +<code>
 +cd /etc/freeradius/3.0/certs
 +ln -s /etc/letsencrypt/live/dodecagon.federez.net/cert.pem  cert.pem
 +ln -s /etc/letsencrypt/live/dodecagon.federez.net/fullchain.pem  fullchain.pem
 +ln -s /etc/letsencrypt/live/dodecagon.federez.net/privkey.pem server.key
 +</code>
 +On peut ensuite modifier la configuration de eap pour en tenir compte :
 +<code>
 +eap {
 +        [...]
 +            tls-config tls-LEcert {
 +                private_key_file = ${certdir}/server.key
 +                certificate_file = ${certdir}/cert.pem
 +                ca_file = ${certdir}/fullchain.pem
 +                dh_file = ${certdir}/dh
 +                ca_path = ${cadir}
 +                cipher_list = "DEFAULT"
 +                cipher_server_preference = no
 +                tls_min_version = "1.0"
 +                tls_max_version = "1.2"
 +                ecdh_curve = "prime256v1"
 +
 +                cache {
 +                        enable = yes
 +                        lifetime = 1 # hours
 +                }
 +
 +                verify {
 +                }
 +
 +                ocsp {
 +                        enable = no
 +                        override_cert_url = yes
 +                        url = "http://127.0.0.1/ocsp/"
 +                }
 +        }
 +        [...]
 +        ttls {
 +                tls = tls-LEcert
 +        }
 +        [...]
 +        peap {
 +                tls = tls-LEcert
 +        }
 +        [...]
 +}
 +</code>
  
admin/services/wififederez/configfederez.1511490659.txt.gz · Dernière modification : 2017/11/24 03:30 de chirac

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki