FreeIPA- FreeRius--authenticate by One-time-password. DON'T USE users.
luckydog xf
luckydogxf at gmail.com
Mon Nov 20 10:38:32 CET 2017
Hello,
I asked this soluation several days ago, but right now I figure out
how, so I write down here just FYI.
1. install FreeIPA and FreeRADIUS, refer to this link,
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
2. Critical part of `module-enabled/ldap`
ldap {
server = 'localhost'
base_dn = 'dc=xxx,dc=com'
user {
base_dn = "cn=accounts,${..base_dn}"
==========================================
group {
base_dn = "cn=compat,${..base_dn}"
filter = '(objectClass=posixGroup)'
name_attribute = cn
membership_filter =
"(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
===================================
3. Grant privileges with post-auth section of site-enabled/default
===============================================
if (LDAP-Group == "network-admins") {
update reply {
Service-Type = "NAS-Prompt-User",
Huawei-Exec-Privilege = "3",
Login-Service = 50,
}
}
elsif (LDAP-Group == "network-operators") {
update reply {
Service-Type = "NAS-Prompt-User",
Huawei-Exec-Privilege = "2",
Login-Service = 50,
}
}
else {
reject
}
4. Create Group named 'network-admins', etc. add Users.. and enable OTP,
test by 'radtest user password localhost 0 testing123'
5. That's all, good luck.
More information about the Freeradius-Users
mailing list