Table of Contents

Montar LDAP perquè radius agafi els usuaris d'ell

LDAP

Engegar LDAP

docker run --name ldap_msf -d -p 389:389 -e SLAPD_PASSWORD=asdasd -e SLAPD_DOMAIN=matarosensefils.net dinkel/openldap

Búsqueda:

ldapsearch -x -h localhost -b dc=matarosensefils,dc=net -D "cn=admin,dc=matarosensefils,dc=net" -w asdasd

Insertar usuari. Creem fitxer amb el següent contingut::

usuaris.txt
dn: ou=persones, dc=matarosensefils,dc=net
ou: persones
description: All people in organisation
objectclass: organizationalunit

dn: cn=Jose Legido,ou=persones,dc=matarosensefils,dc=net
objectclass: inetOrgPerson
cn: Jose Legido
sn: Legido
uid: jose.legido
userpassword: 12345678

dn: cn=Usuari Lectura,ou=persones,dc=matarosensefils,dc=net
objectclass: inetOrgPerson
cn: Usuari Lectura
sn: Lectura
uid: usuari.lectura
userpassword: 87654321

Consultem:

ldapadd -x -h localhost -D "cn=admin,dc=matarosensefils,dc=net" -w asdasd -f usuaris.ldif 

Creem els grups:

grups.ldif
dn: ou=grups,dc=matarosensefils,dc=net
objectClass: organizationalUnit
ou: grups

dn: cn=admin,ou=grups,dc=matarosensefils,dc=net
cn: admin
objectclass: groupofNames
member: cn=Jose Legido,dc=matarosensefils,dc=net 

dn: cn=read,ou=grups,dc=matarosensefils,dc=net
cn: read
objectclass: groupofNames
member: cn=Usuari Lectura,dc=matarosensefils,dc=net
ldapadd -x -h localhost -D "cn=admin,dc=matarosensefils,dc=net" -w asdasd -f grups.ldif 

Per buscar un usuari en concret:

ldapsearch -x -h localhost -b dc=matarosensefils,dc=net -D "cn=admin,dc=matarosensefils,dc=net" -w asdasd "uid=jose.legido"

Freeradius

https://www.golinuxcloud.com/freeradius-ldap-authentication-authorization/

docker run --name radius_msf -p 5000:5000 -p 1812:1812/udp -ti freeradius/freeradius-server
/etc/freeradius/3.0/sites-enabled# cat /etc/freeradius/3.0/mods-enabled/ldap

Modifiquem aquests paràmetres:

ldap {
   server = '172.17.0.1'
   base_dn = 'CN=persones,DC=matarosensefils,DC=net'
   identity = 'cn=admin,dc=matarosensefils,dc=net'
   password = 'asdasd'

   user {
      filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"  
   }

}

Ens quedaria quelcom així

ldap {
        server = '172.17.0.1'
        identity = 'cn=admin,dc=matarosensefils,dc=net'
        password = asdasd
        base_dn = 'dc=matarosensefils,dc=net'
        update {
                control:Password-With-Header    += 'userPassword'

                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
        user_dn = "LDAP-UserDn"

        user {
                base_dn = "${..base_dn}"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        }

        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }

        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'
                attribute {
                        ipaddr                          = 'radiusClientIdentifier'
                        secret                          = 'radiusClientSecret'
                }
        }
        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"
                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }
                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }
                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }

        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }

        options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}
/etc/freeradius/3.0/clients.conf
client xarxa {
   ipaddr = 10.0.0.0/8
   secret = mataro
}

Esborrem aquesta línea

rm /etc/freeradius/3.0/mods-enabled/eap
radtest jose.legido 12345678 127.0.0.1 1812 mataro

Mikrotik

docker-compose.yml
services:
    routeros:
      image: evilfreelancer/docker-routeros
      restart: unless-stopped
      cap_add:
        - NET_ADMIN
      devices:
        - /dev/net/tun
      ports:
        - "12222:22"
        - "8291:8291"
        - "12223:23"
        - "18728:8728"
        - "18729:8729"
        - "8090:80"
      networks:
        lan_internal:
          priority: 1000
          ipv4_address: 182.18.18.2
        lan_net:
          priority: 900
          ipv4_address: 172.16.16.2

networks:
    lan_net:
      driver: bridge
      ipam:
        driver: default
        config:
          - subnet: "172.16.16.0/24"
            gateway: 172.16.16.1
    lan_internal:
      ipam:
        driver: default
        config:
          - subnet: "182.18.18.0/24"
            gateway: 182.18.18.1