(1) pfSense 本機 整合 Windows AD
重要設定節錄
System / User Manager / Authentication Servers / Edit
Authentication Servers
Search scopeLevel
==> one Level
Base DN
==> DC=otp,DC=ai
Authentication containers
==> CN=Users,DC=otp,DC=ai;OU=Domain Controllers,DC=otp,DC=ai
Bind credentials
==> CN=administrator,CN=users,DC=otp,DC=ai
User naming attribute
==> samAccountName
=================================================
(2) pfSense 本機 整合自身 FreeRADIUS 服務及Windows AD
重要設定節錄
Services / FreeRADIUS / LDAP
Identity
==> CN=administrator,CN=users,DC=otp,DC=ai
Base DN
==> DC=otp,DC=ai
Filter
==>(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
Base Filter
==> objectClass=user
================================================
(3)驗證
ldapsearch
[2.7.2-RELEASE][admin@pfSense.home.arpa]/var/log: ldapsearch -x -H "ldap://192.168.100.168" -b "OU=IT,DC=otp,DC=ai" -D "CN=Administrator,CN=Users,DC=otp,DC=ai" -w "XXXXXXXXX" | grep "sAMAccountName"
sAMAccountName: it-admin
#vi /usr/local/etc/raddb/sites-enabled/default
authorize {
ldap
if (ok || updated) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
#echo 'radiusd_enable="YES"' >> /etc/rc.conf
#/usr/local/etc/rc.d/radiusd restart
沒有留言:
張貼留言