[freeradius] début de conf (module ldap wifi)

Puisqu'on en a parlé en séminaire et rajouté un fichier, autant le commit. On rajoute au passage un niveau d'indirection pour radius pour différencier les serveurs freeradius pour le filaire et pour le wifi.
2013-05-15 11:36:04 +02:00 · 2013-05-15 11:36:04 +02:00 · 740c37a6c6
commit 740c37a6c6
parent 82dd04764b
3 changed files with 199 additions and 4 deletions
--- a/Bundler/freeradius.xml
+++ b/Bundler/freeradius.xml
@ -1,4 +1,10 @@
 <Bundle name="freeradius">
+  <Group name="wifi-auth">
+    <!-- Ce fichier n'est nécessaire que pour l'auth wifi (eap)
+         en filaire, on utilise un script custom (qui se connecte
+         lui-même à ldap -->
+    <Python name="/etc/freeradius/modules/ldap" />
+  </Group>
  <Package name="freeradius" />
  <Package name="freeradius-ldap" />
  <Package name="freeradius-utils" />
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@ -56,7 +56,7 @@
    <Group name="vlan-isolement"/>
    <Group name="vlan-ens"/>
 -->
-    <Group name="radius-server"/>
+    <Group name="wired-auth"/>
    <Group name="db-replicat"/>
    <Group name="dns-primary"/>
    <Group name="firmware-bnx2"/>
@ -69,7 +69,7 @@
    <Group name="dnssec-validation"/>
    <Group name="dns-recursif"/>
    <Group name="secondary-ntp-server"/>
-    <Group name="radius-server" />
+    <Group name="wifi-auth" />
  </Group>

  <Group name="malloc"
@ -206,7 +206,7 @@
    profile="true">
    <Group name="crans-domu-squeeze" />
    <Group name="db-replicat" />
-    <Group name="radius-server" />
+    <Group name="wifi-auth" />
    <Group name="vlan-wifi" />
    <Group name="non-vlan-adherent" />
    <Bundle name="check_cert" /><!-- Certif radius -->
@ -316,7 +316,7 @@
 <Group name="radius"
    profile="true">
   <Group name="crans-domu-squeeze"/>
-   <Group name="radius-server"/>
+   <Group name="wired-auth"/>
   <Group name="non-vlan-adherent"/>
   <Group name="db-replicat"/>
 </Group>
@ -831,8 +831,17 @@
    <!-- TODO: A implémenter -->
  </Group>

+  <Group name="wifi-auth" comment="Service d'authentification wifi">
+    <Group name="radius-server"/>
+  </Group>
+
+  <Group name="wired-auth" comment="Service d'authentification filaire">
+    <Group name="radius-server"/>
+  </Group>
+
  <Group name="radius-server"
     comment="Un serveur radius">
+    <!--TODO: la conf du serveur radius est pour le moment manuelle -->
    <Group name="radius-server-backend"/>
  </Group>

--- a/Python/etc/freeradius/modules/ldap
+++ b/Python/etc/freeradius/modules/ldap
@ -0,0 +1,180 @@
+# -*- coding: utf-8 -*-
+
+include("secrets")
+
+if has("db-replicat"):
+    server = 'localhost'
+else:
+    server = 'ldap.adm.crans.org'
+print """
+# -*- text -*-
+# ceci est le fichier /etc/freeradius/modules/ldap
+#
+#  $Id: ldap,v 1.1 2008/05/30 09:18:45 aland Exp $
+
+# Lightweight Directory Access Protocol (LDAP)
+#
+#  This module definition allows you to use LDAP for
+#  authorization and authentication.
+#
+#  See raddb/sites-available/default for reference to the
+#  ldap module in the authorize and authenticate sections.
+#
+#  However, LDAP can be used for authentication ONLY when the
+#  Access-Request packet contains a clear-text User-Password
+#  attribute.  LDAP authentication will NOT work for any other
+#  authentication method.
+#
+#  This means that LDAP servers don't understand EAP.  If you
+#  force "Auth-Type = LDAP", and then send the server a
+#  request containing EAP authentication, then authentication
+#  WILL NOT WORK.
+#
+#  The solution is to use the default configuration, which does
+#  work.
+#
+#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
+#  really can't emphasize this enough.
+#
+ldap {
+	#
+	#  Note that this needs to match the name in the LDAP
+	#  server certificate, if you're using ldaps.
+	server = "%(server)s"
+	identity = "cn=readonly,dc=crans,dc=org"
+	password = %(password)s
+	basedn = "ou=data,dc=crans,dc=org"
+	# Note: pour pouvoir filter par macAddress=MAC fournie, il faut remplacer les - par des :
+	# (la casse n'est pas importante pour ldap)
+	# Si toutefois, la variable est vide, on laisse passer (a priori, lorsque ttls, la connexion
+	# interne n'est pas issue de la borne mais du tunnel, donc cela ne passe pas, par défaut, 
+	# donc tout est accepté, cependant, avec copy_request_to_tunnel = yes dans eap.conf, on s'en sort)
+	# Ceci est fait dans le fichier hints par le matching d'une expression régulière, extrait:
+	#DEFAULT  Calling-Station-Id =~ "^(..)-(..)-(..)-(..)-(..)-(..)$"
+	#Calling-Station-Id := `%%{1}:%%{2}:%%{3}:%%{4}:%%{5}:%%{6}`
+	# On auth désormais par login=mac OU hostname (sans le .wifi.crans.org)
+	filter = "(&(macAddress=%%{Calling-Station-Id:-*})(|(macAddress=%%{Stripped-User-Name:-%%{User-Name}})(host=%%{Stripped-User-Name:-%%{User-Name}}.wifi.crans.org)))"
+	#filter = "(&(macAddress=%%{Stripped-User-Name:-%%{User-Name}})(objectclass=machineWifi))"
+	base_filter = "(objectclass=machineWifi)"
+
+	#  How many connections to keep open to the LDAP server.
+	#  This saves time over opening a new LDAP socket for
+	#  every authentication request.
+	ldap_connections_number = 5
+
+	# seconds to wait for LDAP query to finish. default: 20
+	timeout = 4
+
+	#  seconds LDAP server has to process the query (server-side
+	#  time limit). default: 20
+	#
+	#  LDAP_OPT_TIMELIMIT is set to this value.
+	timelimit = 3
+
+	#
+	#  seconds to wait for response of the server. (network
+	#   failures) default: 10
+	#
+	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+	net_timeout = 1
+
+	#
+	#  This subsection configures the tls related items
+	#  that control how FreeRADIUS connects to an LDAP
+	#  server.  It contains all of the "tls_*" configuration
+	#  entries used in older versions of FreeRADIUS.  Those
+	#  configuration entries can still be used, but we recommend
+	#  using these.
+	#
+	tls {
+		# Set this to 'yes' to use TLS encrypted connections
+		# to the LDAP database by using the StartTLS extended
+		# operation.
+		#
+		# The StartTLS operation is supposed to be
+		# used with normal ldap connections instead of
+		# using ldaps (port 689) connections
+		start_tls = no
+
+		# cacertfile	= /path/to/cacert.pem
+		# cacertdir		= /path/to/ca/dir/
+		# certfile		= /path/to/radius.crt
+		# keyfile		= /path/to/radius.key
+		# randfile		= /path/to/rnd
+
+		#  Certificate Verification requirements.  Can be:
+		#    "never" (don't even bother trying)
+		#    "allow" (try, but don't fail if the cerificate
+		#		can't be verified)
+		#    "demand" (fail if the certificate doesn't verify.)
+		#
+		#	The default is "allow"
+		# require_cert	= "demand"
+	}
+
+	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
+	# profile_attribute = "radiusProfileDn"
+	# access_attr = "dialupAccess"
+
+	# Mapping of RADIUS dictionary attributes to LDAP
+	# directory attributes.
+	dictionary_mapping = ${confdir}/ldap.attrmap
+
+	#  Set password_attribute = nspmPassword to get the
+	#  user's password from a Novell eDirectory
+	#  backend. This will work ONLY IF FreeRADIUS has been
+	#  built with the --with-edir configure option.
+	#
+	#  See also the following links:
+	#
+	#  http://www.novell.com/coolsolutions/appnote/16745.html
+	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
+	#
+	#  Novell may require TLS encrypted sessions before returning
+	#  the user's password.
+	#
+	# password_attribute = userPassword
+
+	#  Un-comment the following to disable Novell
+	#  eDirectory account policy check and intruder
+	#  detection. This will work *only if* FreeRADIUS is
+	#  configured to build with --with-edir option.
+	#
+	edir_account_policy_check = no
+
+	#
+	#  Group membership checking.  Disabled by default.
+	#
+	# groupname_attribute = cn
+	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%%{Ldap-UserDn})))"
+	# groupmembership_attribute = radiusGroupName
+
+	# compare_check_items = yes
+	do_xlat = yes
+	# access_attr_used_for_allow = yes
+
+	#
+	#  By default, if the packet contains a User-Password,
+	#  and no other module is configured to handle the
+	#  authentication, the LDAP module sets itself to do
+	#  LDAP bind for authentication.
+	#
+	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
+	#
+	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
+	#
+	#  You can disable this behavior by setting the following
+	#  configuration entry to "no".
+	#
+	#  allowed values: {no, yes}
+	# set_auth_type = yes
+
+	#  ldap_debug: debug flag for LDAP SDK
+	#  (see OpenLDAP documentation).  Set this to enable
+	#  huge amounts of LDAP debugging on the screen.
+	#  You should only use this if you are an LDAP expert.
+	#
+	#	default: 0x0000 (no debugging messages)
+	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+	#ldap_debug = 0x0028 
+}""" % {'password': secrets.ldap_readonly_password, 'server': server}