O/H Mitch McCracken έγραψε:
When organizations grow, there becomes more and more systems that need
to be maintained, and each may have different configurations and users
which have access to them. Individually editing local config files
gets old pretty fast for hundred of devices, and developing a unified
and central user authorization database system that spans across all
types of information systems becomes necessary.
Enter: OpenLDAP. I think I've developed a solution to maintain Linux
hosts which controls POSIX users/groups/sudo access/apache website
access/etc. by using a central LDAP database that stores policies of
what a user can do on any one of our PCs. The actual configuration got
fairly ugly, though (PAM not allowing you to specify more than one
LDAP Group to allow access to the machine, thus the posixGroup LDAP
schema had to be used (since /etc/security/access.conf allows you to
specify multiple posix group access) instead of groupOfNames, but
groupOfNames is needed for apache's ldap auth module, so both must be
used..), but I've only covered access management for our websites and
Linux PCs, not all of the various routers, switches, or other
RADIUS-aware equipment that exist within the organization.
Enter: FreeRADIUS. We do already have a FreeRADIUS configuration that
is auto-generated by our internal MySQL-based access policies to
control access to our networking equipment, although this is fairly
ugly, and it would be much much nicer if it could use the LDAP
database I'm currently developing to control access across all devices
instead. To put it gently, I want FreeRADIUS to be configured
*entirely* off of LDAP.
We currently have usernames/passwords stored/authenticated from the
Kerberos database which FreeRADIUS also uses to authenticate users--I
don't have LDAP do this. LDAP simply determines the _authorization_ of
the user (what group they are in, what access they are provided)
I've read through a few LDAP-FreeRADIUS HOWTOs, but haven't come
across anything that suggests FreeRADIUS can do everything I want it
to. I interpret FreeRADIUS as having the following constructs:
clients (clients.conf): All devices FreeRADIUS will communicate with
and provide access to. I don't see any way these can be defined in
LDAP instead and have FreeRADIUS pull clients from the database
instead of a local file, which is what I want.
users: All users which will have some sort of access to one of the
clients. It appears users are able to be pulled from the LDAP
directory by providing the correct DN users are located in. For me,
users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. My personal
entry is something like:
dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: radiusprofile
...
uid: mrmccrac
I still need to go back and look at the HOWTO perhaps, although I
believe this setup can be used somehow/somewhere with FreeRADIUS to
have it pull all of our users (specifically uids) from LDAP instead of
a local file. This leads me to the next FreeRADIUS construct..
groups (group): this specifies groups of users, which can then later
be used to define access levels (in huntgroups?). From what I read
this too can be pulled from FreeRADIUS, that is, the groupOfNames
object class can be interpreted if you supply the DN which has all of
the groups. An example groupOfNames object I currently have is as such:
dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu
cn: dev
objectClass: groupOfNames
objectClass: top
member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu
Thus I should be able to tell FreeRADIUS to look at dn:
ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to look at the
member attributes to determine which users DN are in each group it
finds. Now, finally...
huntgroups: I believe this is the glue between users/groups to RADIUS
clients. I think the level of access can be defined per group (which
would be ideal), and then with huntgroups we say which groups may get
their specified level of access (enable mode or not..) to which
networking devices we specified in the clients. Again, like
clients.conf, I don't want to have to edit the huntgroups file anytime
a change is made, but instead make the change in the LDAP directory
and have FreeRADIUS pull all huntgroups from there.
Is any/all of what I mentioned currently possible based upon my
current setup and FreeRADIUS's capabilities? Or, will all changes to
clients and huntgroups need to be made locally in a file on the radius
server, but I can at least pull available users and the groups that
exist/they belong in from LDAP?
Again, we're using Kerberos to do the user/password authentication,
but want LDAP to do the authorization schema I provided. Any
FreeRADIUS configuration examples/LDIF examples would be greatly
appreciated, thanks for reading this far :).
Mitch
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Freeradius provides ldap authentication of users (either through ldap
bind or by pulling the password from the user entry), authorization
based on radius specific ldap attributes (an ldap radius schema is
provided in the doc directory), group membership evaluation (one way is
with groupofnames just like your groups). It does not provide ldap based
huntgroups and clients. So you can 'pull' available users and groups but
not anything else.
--
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html