设置FreeRadius + ldap +单点登录 [英] Setup FreeRadius + ldap + single sign-on
问题描述
我正在尝试使用FreeRadius配置单点登录.
Am trying to configure Single sign-on using FreeRadius.
场景: 我有一个完全配置的LDAP(389 DS)版本2.1,几乎没有用户和组(在CentOS6中). 我已经安装了FreeRadius(最新的稳定版本)(在CentOS 6中). 将FreeRadius配置为侦听上述LDAP服务器.
Scenario: I have a fully configured LDAP (389 DS) Version-2.1 with few users and groups (in CentOS6). I have installed FreeRadius (latest stable version) (in CentOS 6). Configured FreeRadius to listen the above LDAP server.
我已经使用pam_radius模块将客户端系统(CentOS6)制成了Radius客户端.现在,能够使用LDAP凭据登录到NAS,并在FreeRadius中正确获取日志.
I have made a client system (CentOS6) as radius client using pam_radius module. Now, am able to login to NAS with the LDAP credentials and getting logs correctly in FreeRadius.
现在,我想在此设置中实现单点登录,因为我想添加其他一些设备,例如Firewall(Sonicwall)进行身份验证.
Now, I want to implement single sign-on in this setup since I want to added some other devices like Firewall(Sonicwall) to authenticate.
我找不到任何好的文档来配置它.
I couldn't find any good docs to configure this.
有人可以建议我如何在上述设置中配置单一登录吗?
Can someone please suggest me how to configure Single sign-on in the above setup?
推荐答案
对于防火墙,大多数人仅使用会计数据来适当地启动和停止会话.通常,这是从freeradius服务器的accounting {}
部分中触发脚本,在Acct-Status-Type == Start
上创建会话并在Acct-Status-Type == Stop
上销毁它.
For firewalls most people just use the accounting data to start and stop sessions as appropriate. This is usually triggering a script from within the accounting {}
section of the freeradius server, creating the session on Acct-Status-Type == Start
and destroying it on Acct-Status-Type == Stop
.
如果PAM模块发送临时更新,则可以将其记录在数据库中,还可以设置"lastupdated"时间戳.然后,您需要执行cronjob来检查NOW() - lastupdated > (interim-interval * 2)
所在的行,对于这些行,请删除防火墙上的会话并关闭数据库中的会话.
If the PAM module sends Interim-Updates, you can record those in a database, and also set a 'lastupdated' timestamp. You then have a cronjob to check for rows where NOW() - lastupdated > (interim-interval * 2)
, and for those rows, delete the session on the firewall and close out the session in the database.
我不知道有什么适当的SSO机制可以完全在RADIUS上运行,Project Moonshot团队正试图使某些东西可以与SAML和特殊的EAP方法一起使用,但对于您在此处想要的东西来说可能太复杂了,因此不受支持还是由PAM来完成的.
There is no proper SSO mechanism I know of which runs purely over RADIUS, the Project Moonshot guys were trying to get something working with SAML and a special EAP method, but it's probably too complex for what you want here, and not supported by PAM anyway.
这篇关于设置FreeRadius + ldap +单点登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!