[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: FreeIPA- FreeRius--authenticate by One-time-password. DON'T USE users.
From: luckydog xf <luckydogxf () gmail ! com>
Date: 2017-11-20 9:38:32
Message-ID: CAAoCYOzAROjLC5jWdmB9VPcAeu8bTgbY1Ww_wkQAMb6mxkn68g () mail ! gmail ! com
[Download RAW message or body]
Hello,
I asked this soluation several days ago, but right now I figure out
how, so I write down here just FYI.
1. install FreeIPA and FreeRADIUS, refer to this link,
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
2. Critical part of `module-enabled/ldap`
ldap {
server = 'localhost'
base_dn = 'dc=xxx,dc=com'
user {
base_dn = "cn=accounts,${..base_dn}"
==========================================
group {
base_dn = "cn=compat,${..base_dn}"
filter = '(objectClass=posixGroup)'
name_attribute = cn
membership_filter =
"(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
===================================
3. Grant privileges with post-auth section of site-enabled/default
===============================================
if (LDAP-Group == "network-admins") {
update reply {
Service-Type = "NAS-Prompt-User",
Huawei-Exec-Privilege = "3",
Login-Service = 50,
}
}
elsif (LDAP-Group == "network-operators") {
update reply {
Service-Type = "NAS-Prompt-User",
Huawei-Exec-Privilege = "2",
Login-Service = 50,
}
}
else {
reject
}
4. Create Group named 'network-admins', etc. add Users.. and enable OTP,
test by 'radtest user password localhost 0 testing123'
5. That's all, good luck.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic