Developers Club geek daily blog

1 year, 10 months ago
Kind day, dear.
I want to share with you a solution of one creative task. I hope to someone it will be useful.
So,

IT IS GIVEN:


low-power piece of iron with arm the processor both Debian 7 wheezy collected under it and set.

TASK:


to deliver to FreeRADIUS 3.0.X, to configure it for work with SQLITE DB. I.e., RADIUS has to take accounts of users (who need to be authenticated) from SQLITE DB.

In drawing the top level scheme of component interaction is submitted.

Assembly and the FreeRADIUS 3 setup with support of SQLITE

Why I decided to describe this solution?

Having faced this task and having begun to google, I was surprised to the fact that detailed descriptions on assembly of freeradius and furthermore with support there is no SQLITE just. Therefore decided to summarize to himself and others for memory.

SOLUTION:


Consists of 3 parts:
1) Assembly of Freeradius 3.0.3 (I selected this version, on later everything will look approximately also) with support of SQLite;
2) Setup of a sheaf Freeradius and SQLite;
3) Setup of the server on which users are authenticated (in drawing above — "server").

1 Assembly of Freeradius 3.0.3 with support of SQLite


For successful assembly of radius 3.0.3 it is necessary to follow these steps:
1.1 To download the source code: ftp.freeradius.org/pub/freeradius/old/freeradius-server-3.0.3.tar.gz to unpack in the separate folder;
1.2 To set the following packets through apt-get: libtalloc2, libtalloc-dev, libssl-dev, libperl-dev, libpam0g-dev, libsqlite3-dev, libgdbm-dev (if support of other DB is necessary, then it is necessary to deliver the corresponding dev a packet, for example mysql-dev);
1.3 To pass into the folder with the unpacked archive with source codes and, it is trivial,
./configure
make
make install 

If from the first. / configure will not fulfill – perhaps in system still any packets are not enough, we read attentively an output and we set them.

2 Setup of a sheaf Freeradius and SQLite


For setup of a sheaf freeradius + sqlite it is necessary to perform the following operations:

2.1 To create and configure a DB of users of sqlite


2.1.1 To create the sqlite base and the scheme in a DB with which radius will work:
sqlite3 /etc/raddb/sqlite_rad.db < /etc/raddb/mods-config/sql/main/sqlite/schema.sql

/ etc/raddb/sqlite_rad.db is a way to the DB file, you can place it in any convenient place.
2.1.2 To create the user's UZ in a DB:
sqlite3 /etc/raddb/sqlite_rad.db
insert into radcheck values (‘1’,’user’,’Cleartext-Password’,’:=’,’secret’);

We fill with the stated above request in a DB the table radcheck in which information on UZ of users is stored by the following information:
Unique ID of the user = 1; user name = user; UZ attribute = Cleartext-Password; operator = ":="; value of attribute = "secret". If in Russian, then we set the password for UZ user which will be also its value - "secret" is stored in a type of a clear text. In more detail about couples the attribute value (av pair) and comparison operators can be read in official documentation on radius and unlang. freeradius.org/radiusd/man/unlang.html

2.2 To configure freeradius:


2.2.1 Configuration files of all available radius modules are in / etc/raddb/mods-available. To include them, it is necessary to create the reference to the module in folder/etc/raddb/mods-enabled:
cd /etc/raddb/mods-enabled 
ln -s /etc/raddb/mods-available/sql sql

2.2.2 We edit / etc/raddb/mods-enabled/sql, as follows:
sql {
…………
driver = "rlm_sql_sqlite"
…………
	sqlite {
		filename = "/etc/raddb/sqlite_rad.db"
	}
…………
dialect = "sqlite"
………..

The filename variable has to indicate the DB file created in point 2.1.1.
2.2.3 We register the client of radius, i.e. that server (or network equipment) which users will be authenticated through this radius. For this purpose we add a line to file/etc/raddb/clients.conf:
client 192.168.0.4 {
       secret          = testing123
       shortname       = new_server
}

secret in this case is a confidential word radius by which it authenticates the client.
shortname – any "short name", this value can even be lowered.
2.2.4 We check what in file/etc/raddb/sites-enabled/default is present at the section "authorize" "-sql":
authorize {
........
-sql
........


3 Setup of the client of RADIUS


3.1 On the client to set pam_radius packet:
apt-get install libpam-radius-auth

3.2 On the client to add a line to file/etc/pam_radius_auth.conf:
other-server    other-secret       3

where other-server – the IP address of the server radius, other-secret – the confidential word from setup point 2.2.3:
192.168.0.2     testing123    3

3.3 In file/etc/pam.d/sshd over lines
# Standard Un*x authentication.
@include common-auth

to add a line
auth       sufficient  pam_radius_auth.so


That's all. We start RADIUS and we enjoy PROFIT'OM.

This article is a translation of the original post at habrahabr.ru/post/274251/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus