OpenLDAP + FreeRADIUS Complete Solution

[Kostas Kalevras]

O/H Mitch McCracken έγραψε:
> When organizations grow, there becomes more and more systems that need 
> to be maintained, and each may have different configurations and users 
> which have access to them. Individually editing local config files 
> gets old pretty fast for hundred of devices, and developing a unified 
> and central user authorization database system that spans across all 
> types of information systems becomes necessary.
>
> Enter: OpenLDAP. I think I've developed a solution to maintain Linux 
> hosts which controls POSIX users/groups/sudo access/apache website 
> access/etc. by using a central LDAP database that stores policies of 
> what a user can do on any one of our PCs. The actual configuration got 
> fairly ugly, though (PAM not allowing you to specify more than one 
> LDAP Group to allow access to the machine, thus the posixGroup LDAP 
> schema had to be used (since /etc/security/access.conf allows you to 
> specify multiple posix group access) instead of groupOfNames, but 
> groupOfNames is needed for apache's ldap auth module, so both must be 
> used..), but I've only covered access management for our websites and 
> Linux PCs, not all of the various routers, switches, or other 
> RADIUS-aware equipment that exist within the organization.
>
> Enter: FreeRADIUS. We do already have a FreeRADIUS configuration that 
> is auto-generated by our internal MySQL-based access policies to 
> control access to our networking equipment, although this is fairly 
> ugly, and it would be much much nicer if it could use the LDAP 
> database I'm currently developing to control access across all devices 
> instead. To put it gently, I want FreeRADIUS to be configured 
> *entirely* off of LDAP.
>
> We currently have usernames/passwords stored/authenticated from the 
> Kerberos database which FreeRADIUS also uses to authenticate users--I 
> don't have LDAP do this. LDAP simply determines the _authorization_ of 
> the user (what group they are in, what access they are provided)
>
> I've read through a few LDAP-FreeRADIUS HOWTOs, but haven't come 
> across anything that suggests FreeRADIUS can do everything I want it 
> to. I interpret FreeRADIUS as having the following constructs:
>
> clients (clients.conf): All devices FreeRADIUS will communicate with 
> and provide access to. I don't see any way these can be defined in 
> LDAP instead and have FreeRADIUS pull clients from the database 
> instead of a local file, which is what I want.
>
> users: All users which will have some sort of access to one of the 
> clients. It appears users are able to be pulled from the LDAP 
> directory by providing the correct DN users are located in. For me, 
> users are all located in ou=people,dc=grnoc,dc=iu,dc=edu. My personal 
> entry is something like:
>
> dn: uid=mrmccrac,ou=people,dc=grnoc,dc=iu,dc=edu
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: radiusprofile
> ...
> uid: mrmccrac
>
> I still need to go back and look at the HOWTO perhaps, although I 
> believe this setup can be used somehow/somewhere with FreeRADIUS to 
> have it pull all of our users (specifically uids) from LDAP instead of 
> a local file. This leads me to the next FreeRADIUS construct..
>
> groups (group): this specifies groups of users, which can then later 
> be used to define access levels (in huntgroups?). From what I read 
> this too can be pulled from FreeRADIUS, that is, the groupOfNames 
> object class can be interpreted if you supply the DN which has all of 
> the groups. An example groupOfNames object I currently have is as such:
>
> dn: cn=dev,ou=ldapgroups,dc=grnoc,dc=iu,dc=edu
> cn: dev
> objectClass: groupOfNames
> objectClass: top
> member: uid=mrmccrac,ou-people,dc=grnoc,dc=iu,dc=edu
>
> Thus I should be able to tell FreeRADIUS to look at dn: 
> ou=ldapgroups,dc=grnoc,dc=iu,dc=edu, and it should know to look at the 
> member attributes to determine which users DN are in each group it 
> finds. Now, finally...
>
> huntgroups: I believe this is the glue between users/groups to RADIUS 
> clients. I think the level of access can be defined per group (which 
> would be ideal), and then with huntgroups we say which groups may get 
> their specified level of access (enable mode or not..) to which 
> networking devices we specified in the clients. Again, like 
> clients.conf, I don't want to have to edit the huntgroups file anytime 
> a change is made, but instead make the change in the LDAP directory 
> and have FreeRADIUS pull all huntgroups from there.
>
> Is any/all of what I mentioned currently possible based upon my 
> current setup and FreeRADIUS's capabilities? Or, will all changes to 
> clients and huntgroups need to be made locally in a file on the radius 
> server, but I can at least pull available users and the groups that 
> exist/they belong in from LDAP?
>
> Again, we're using Kerberos to do the user/password authentication, 
> but want LDAP to do the authorization schema I provided. Any 
> FreeRADIUS configuration examples/LDIF examples would be greatly 
> appreciated, thanks for reading this far :).
>
> Mitch
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
Freeradius provides ldap authentication of users (either through ldap 
bind or by pulling the password from the user entry), authorization 
based on radius specific ldap attributes (an ldap radius schema is 
provided in the doc directory), group membership evaluation (one way is 
with groupofnames just like your groups). It does not provide ldap based 
huntgroups and clients. So you can 'pull' available users and groups but 
not anything else.

-- 
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com