freeradius を改造して ldap + mac-radius 対応にしてみた。
freeradius で、ldap + mac-radius ができなかったので強引に改造してみた。
起動できない人へ
これは元々ある問題なのですが、、、
最初の一発目は必ず /etc/init.d/radiusd start で失敗します。
/etc/init.d/radiusd start [ 失敗 ]
これは 鍵がないのと、ユーザ権限が低すぎて鍵を作れないのが原因です。
いちど root で /usr/sbin/radiusd -X とかやって起動してあげてください。
起動したあとは、Ready to process requests. ってでたら Ctrl + C で止めあげてね。
以後は、 /etc/init.d/radiusd start で起動できるようになります。
そのうち治るんぢゃないの?
#一度 root で起動する /usr/sbin/radiusd -X # #Ready to process requests. ってでるまでまつ # #Ready to process requests.ってでたら Ctrl + C で止める。 #次からは成功するはず /etc/init.d/radiusd start
パッチ
http://rtilabs.net/files/2011_05_07/ldap_mac_radius_mode__set_mac_radius_mode_without_password.patch
diff -crN freeradius-server-2.1.10.org/raddb/modules/ldap freeradius-server-2.1.10/raddb/modules/ldap *** freeradius-server-2.1.10.org/raddb/modules/ldap 2010-09-28 20:03:56.000000000 +0900 --- freeradius-server-2.1.10/raddb/modules/ldap 2011-05-07 05:33:26.000000000 +0900 *************** *** 158,163 **** --- 158,171 ---- # allowed values: {no, yes} # set_auth_type = yes + # + # mac-radius when you only want to use. + #ldap filter to authenticate using only ignores the password check. + #The default is off. (password authentication to) + #Please enable mac-radius only when performing. + # + #set_mac_radius_mode_without_password = no + # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. diff -crN freeradius-server-2.1.10.org/src/modules/rlm_ldap/rlm_ldap.c freeradius-server-2.1.10/src/modules/rlm_ldap/rlm_ldap.c *** freeradius-server-2.1.10.org/src/modules/rlm_ldap/rlm_ldap.c 2010-09-28 20:03:56.000000000 +0900 --- freeradius-server-2.1.10/src/modules/rlm_ldap/rlm_ldap.c 2011-05-07 05:33:53.000000000 +0900 *************** *** 173,178 **** --- 173,179 ---- int edir_account_policy_check; #endif int set_auth_type; + int set_mac_radius_mode_without_password; /* * For keep-alives. *************** *** 343,348 **** --- 344,350 ---- #endif {"set_auth_type", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_auth_type), NULL, "yes"}, + {"set_mac_radius_mode_without_password", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_mac_radius_mode_without_password), NULL, "no"}, { "keepalive", PW_TYPE_SUBSECTION, 0, NULL, (const void *) keepalive_config }, {NULL, -1, 0, NULL, NULL} *************** *** 1765,1771 **** if (!pairfind(request->config_items, PW_CLEARTEXT_PASSWORD) && !pairfind(request->config_items, PW_USER_PASSWORD) && !pairfind(request->config_items, PW_PASSWORD_WITH_HEADER) && ! !pairfind(request->config_items, PW_CRYPT_PASSWORD)) { DEBUG("WARNING: No \"known good\" password was found in LDAP. Are you sure that the user is configured correctly?"); } } --- 1767,1774 ---- if (!pairfind(request->config_items, PW_CLEARTEXT_PASSWORD) && !pairfind(request->config_items, PW_USER_PASSWORD) && !pairfind(request->config_items, PW_PASSWORD_WITH_HEADER) && ! !pairfind(request->config_items, PW_CRYPT_PASSWORD) && ! !inst->set_mac_radius_mode_without_password) { DEBUG("WARNING: No \"known good\" password was found in LDAP. Are you sure that the user is configured correctly?"); } } *************** *** 1828,1851 **** return RLM_MODULE_INVALID; } ! if (!request->password){ ! radlog(L_AUTH, " [%s] Attribute \"User-Password\" is required for authentication.", inst->xlat_name); ! DEBUG2(" You seem to have set \"Auth-Type := LDAP\" somewhere."); ! DEBUG2(" THAT CONFIGURATION IS WRONG. DELETE IT."); ! DEBUG2(" YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY."); ! return RLM_MODULE_INVALID; ! } ! if(request->password->attribute != PW_USER_PASSWORD) { ! radlog(L_AUTH, " [%s] Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", inst->xlat_name, request->password->name); ! return RLM_MODULE_INVALID; ! } ! if (request->password->length == 0) { ! snprintf(module_fmsg,sizeof(module_fmsg)," [%s] empty password supplied", inst->xlat_name); ! module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); ! pairadd(&request->packet->vps, module_fmsg_vp); ! return RLM_MODULE_INVALID; } /* --- 1831,1860 ---- return RLM_MODULE_INVALID; } ! if (inst->set_mac_radius_mode_without_password) { ! DEBUG(" this is set_mac_radius_mode_without_password mode."); ! DEBUG(" password is no check!!!!."); ! } else { ! if (!request->password){ ! radlog(L_AUTH, " [%s] Attribute \"User-Password\" is required for authentication.", inst->xlat_name); ! DEBUG2(" You seem to have set \"Auth-Type := LDAP\" somewhere."); ! DEBUG2(" THAT CONFIGURATION IS WRONG. DELETE IT."); ! DEBUG2(" YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY."); ! return RLM_MODULE_INVALID; ! } ! if(request->password->attribute != PW_USER_PASSWORD) { ! radlog(L_AUTH, " [%s] Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", inst->xlat_name, request->password->name); ! return RLM_MODULE_INVALID; ! } ! ! if (request->password->length == 0) { ! snprintf(module_fmsg,sizeof(module_fmsg)," [%s] empty password supplied", inst->xlat_name); ! module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); ! pairadd(&request->packet->vps, module_fmsg_vp); ! return RLM_MODULE_INVALID; ! } } /* *************** *** 1911,1916 **** --- 1920,1931 ---- RDEBUG("user DN: %s", user_dn); + if (inst->set_mac_radius_mode_without_password) { + DEBUG(" skip password check by set_mac_radius_mode_without_password mode."); + inst->failed_conns = 0; + return RLM_MODULE_OK; + } + #ifndef NOVELL ld_user = ldap_connect(instance, user_dn, request->password->vp_strvalue, 1, &res, NULL);
パッチを使った遊び方
#元ファイルを持ってくる wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2 tar jxvf freeradius-server-2.1.10.tar.bz2 ##パッチはこんなふうに作った ## diff -crN freeradius-server-2.1.10.org freeradius-server-2.1.10 > ldap_mac_radius_mode__set_mac_radius_mode_without_password.patch #パッチを当てる wget http://rtilabs.net/files/2011_05_07/ldap_mac_radius_mode__set_mac_radius_mode_without_password.patch cd freeradius-server-2.1.10 patch -p1 < ../ldap_mac_radius_mode__set_mac_radius_mode_without_password.patch #ふつーにビルド ./configure make make install #ldap を有効にする設定をする #set_mac_radius_mode_without_passwor = yes にする #mac-radius する。うまー
rpmの作り方
centos5.5 の freeraidus から派生させた。
#足りないパッケージを入れる。 ##たぶん他にももっと色いろあるはず・・・ yum install libtool-ltdl-devel gdbm-devel net-snmp-devel libpcap-devel mysql-devel postgresql-devel unixODBC-devel #オリジナルのRPM wget http://ftp.iij.ad.jp/pub/linux/centos/5.6/os/SRPMS/freeradius2-2.1.7-7.el5.src.rpm rpm -i freeradius2-2.1.7-7.el5.src.rpm #ソースを持ってくる cd /usr/src/redhat/SOURCES wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.bz2 #SPECを修正する 内容は次のところに cd /usr/src/redhat/SPEC vi freeradius2.spec #ビルドする rpmbuild -ba freeradius2.spec
SPEC修正内容
リリース名を付けた ------------------------------------------------------------------------------ Release: 7%{?dist} ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ Release: ldap_macradius_patch.7%{?dist} ------------------------------------------------------------------------------ パッチの追加 ------------------------------------------------------------------------------ Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2 Source100: freeradius-radiusd-init Source102: freeradius-logrotate Source103: freeradius-pam-conf ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2 Source100: freeradius-radiusd-init Source102: freeradius-logrotate Source103: freeradius-pam-conf Patch0: ldap_mac_radius_mode__set_mac_radius_mode_without_password.patch ------------------------------------------------------------------------------ パッチの適応 ------------------------------------------------------------------------------ %prep %setup -q -n freeradius-server-%{version} # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + %build %ifarch s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" %else export CFLAGS="$RPM_OPT_FLAGS -fpic" %endif ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ %prep %setup -q -n freeradius-server-%{version} # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + %patch0 -p1 -b .initscript %build %ifarch s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" %else export CFLAGS="$RPM_OPT_FLAGS -fpic" %endif ------------------------------------------------------------------------------ 追加でインストールされるファイルを追記. ------------------------------------------------------------------------------ %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/wimax %dir %attr(755,radiusd,radiusd) /var/run/radiusd/ ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/wimax %attr(640,root,radiusd) %config(noreplace) /etc/raddb/attrs.access_challenge %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/ntlm_auth %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/opendirectory %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/ldap.initscript %dir %attr(755,radiusd,radiusd) /var/run/radiusd/ ------------------------------------------------------------------------------
実際の遊び方
次回に続く...