Home > World Of ICT > Freeradius2 menggunakan backend LDAP Zimbra Collaboration Suite (ZCS)

Freeradius2 menggunakan backend LDAP Zimbra Collaboration Suite (ZCS)


Remote Authentication Dial-In User Service (sering disingkat menjadi RADIUS) adalah sebuah protokol keamanan komputer yang digunakan untuk melakukan autentikasi, otorisasi, dan pendaftaran akun pengguna secara terpusat untuk mengakses jaringan. RADIUS didefinisikan di dalam RFC 2865 dan RFC 2866, yang pada awalnya digunakan untuk melakukan autentikasi terhadap akses jaringan secara jarak jauh dengan menggunakan koneksi dial-up. RADIUS, kini telah diimplementasikan untuk melakukan autentikasi terhadap akses jaringan secara jarak jauh dengan menggunakan koneksi selain dial-up, seperti halnya Virtual Private Networking (VPN), access point nirkabel, switch Ethernet, dan perangkat lainnya. (WIKI)

Aplikasi radius open source terpopuler dan paling banyak digunakan adalah freeradius, fleksibilitas terhadap berbagai platform, fast, feature-rich, modular dan scalable membuat aplikasi ini sering dijadikan sebagai backend modul authentikasi berbagai layanan infrastructure ICT. Mengutip dari website resminya di alamat http://freeradius.org  release freeradius stable terbaru  yaitu Versi 2.1.12. Release versi terbaru ini sudah mensupport KERBEROS, HEIMDAL, LDAP, PGSQL, UNIXODBC, FIREBIRD, PERL, PYTHON, ORACLE, RUBY, DHCP.

Feature improvement versi 2 ini dibandingkan versi radius sebelumnya adalah sebagai berikut; ( http://freeradius.org )

  • Updates to dictionary.erx, dictionary.siemens, dictionary.starent, dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol
  • Added support for PCRE from Phil Mayers
  • Configurable file permission in rlm_linelog
  • Added “relaxed” option to rlm_attr_filter. This copies attributes if at least one match occurred.
  • Added documentation on dynamic clients. See raddb/modules/dynamic_clients.
  • Added support for elliptical curve cryptography. See ecdh_curve in raddb/eap.conf.
  • Added support for 802.1X MIBs in checkrad
  • Added support for %{rand:…}, which generates a uniformly distributed number between 0 and the number you specify.
  • Created “man” pages for all installed commands, and documented options for all commands. Patch from John Dennis.
  • Allow radsniff to decode encrypted VSAs and CoA packets. Patch from Bjorn Mork.
  • Always send Message-Authenticator in radtest. Patch from John Dennis. radclient continues to be more flexible.
  • Updated Oracle schema and queries
  • Added SecurID module. See src/modules/rlm_securid/README

Jika anda tertarik untuk menggunakan modul scheme database LDAP milik Zimbra Collaboration Suite (ZCS) untuk digunakan sebagai infrastructure akun user organisasi anda, maka akan sangat menarik apabila kedua layanan ini bisa diintegrasikan.

Ujicoba kali ini akan dilakukan pada sebuah server dengan sistem operasi FreeBSD lalu menjalankan freeradius2 dan mengquery akses user menggunakan scheme database akun LDAP Zimbra ZCS versi 6.

1.  Langkah pertama pastikan sistem operasi FreeBSD telah berjalan baik.

BGP-UNILA-MORATEL# uname -a
FreeBSD BGP-UNILA-MORATEL 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
BGP-UNILA-MORATEL#

2.  Pastikan bahwa layanan LDAP pada zimbra server berjalan dengan baik

zimbra@zimbra:/root$ ps ax | grep ldap
1320 ?        Ssl    0:20 /opt/zimbra/openldap/sbin/slapd -l LOCAL0 -u zimbra -h ldap://zimbra.unila.ac.id:389 ldapi:/// -F /opt/zimbra/data/ldap/config
3769 pts/0    S+     0:00 grep ldap
zimbra@zimbra:/root$

3.  Install aplikasi freeradius2 bukan versi 1

BGP-UNILA-MORATEL# cd /usr/ports/net/freeradius2

4.  Pilih parameter modul yang akan diaktifkan pada aplikasi freeradius.

BGP-UNILA-MORATEL# make config

5.  Lakukan proses instalasi

BGP-UNILA-MORATEL# make && make install clean

6.  Set paramater freeRadius2 agar dapat berkomunikasi dengan LDAP Zimbra.

Secara default proses instalasi freeradius2 via port akan mengkoleksi file konfigurasi pada direktori berikut ;

BGP-UNILA-MORATEL# cd /usr/local/etc/raddb BGP-UNILA-MORATEL# ls
acct_users                      example.pl                      radiusd.conf
attrs                           experimental.conf               radiusd.conf.bak
attrs.access_challenge          hints                           sites-available
attrs.access_reject             huntgroups                      sites-enabled
attrs.accounting_response       ldap.attrmap                    sql
attrs.pre-proxy                 modules                         sql.conf
certs                           policy.conf                     sqlippool.conf
clients.conf                    policy.txt                      templates.conf
dictionary                      preproxy_users                  users
eap.conf                        proxy.conf
BGP-UNILA-MORATEL#

Pastikan bahwa anda telah mengaktifkan modul ldap pada konfigurasi radius

BGP-UNILA-MORATEL# vi /usr/local/etc/raddb/sites-enabled/default

Uncomment baris berikut untuk mengaktifkan modul LDAP

    186         #  The ldap module will set Auth-Type to LDAP if it has not
    187         #  already been set
    188         ldap
    299         # Uncomment it if you want to use ldap for authentication
    300         #
    301         # Note that this means "check plain-text password against
    302         # the ldap database", which means that EAP won't work,
    303         # as it does not supply a plain-text password.
    304         Auth-Type LDAP {
    305                 ldap
    306         }
    307
    308         #

Sesuaikan parameter ldap pada freeradius2 dengan parameter LDAP Zimbra

BGP-UNILA-MORATEL# vi /usr/local/etc/raddb/modules/ldap
     26 #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
     27 #  really can't emphasize this enough.
     28 #
     29 ldap {
     30         #
     31         #  Note that this needs to match the name in the LDAP
     32         #  server certificate, if you're using ldaps.
     33         server = "IPADDRESSZIMBRASERVER"
     34         identity = "uid=zimbra,cn=admins,cn=zimbra"
     35         password = PASSWORDLDAPBINDZIMBRA
     36         basedn  = "ou=people,dc=unila,dc=ac,dc=id"
     37         filter = "(uid=%{mschap:User-Name:-%{User-Name}})"

Set paramater client yang boleh mengakses layanan radius server

     BGP-UNILA-MORATEL# vi /usr/local/etc/raddb/clients.conf

     30 client localhost {
     31         #  Allowed values are:
     32         #       dotted quad (1.2.3.4)
     33         #       hostname    (radius.example.com)
     34         ipaddr = 127.0.0.1
     35
     36         #  OR, you can use an IPv6 address, but not both
     37         #  at the same time.
     38     #  ipv6addr = ::   # any.  ::1 == localhost
     39 secret          = testing123456

7. Jalankan Daemon freeradius.

BGP-UNILA-MORATEL# radiusd -X

8. Terakhir lakukan pengecekan apakah bisa melakukan query dengan akun user dan password yang dimiliki LDAP Zimbra

Contoh akses login ke LDAP Zimbra yang berhasil

BGP-UNILA-MORATEL# radtest "gigih" "passwordgue" localhost 20 testing123
Sending Access-Request of id 126 to 127.0.0.1 port 1812
        User-Name = "gigih"
        User-Password = "passwordgue"
        NAS-IP-Address = 103.3.46.251
        NAS-Port = 20
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=126, length=20
BGP-UNILA-MORATEL#

Dengan log akses radius yang berhasil sebagai berikut

rad_recv: Access-Request packet from host 127.0.0.1 port 61289, id=104, length=75
        User-Name = "gigih"
        User-Password = "passwordgue"
        NAS-IP-Address = 103.3.46.251
        NAS-Port = 20
        Message-Authenticator = 0x9a24413562cb495bfd28c1f3d5f1d5b4
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "gigih", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for gigih
[ldap]  expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=gigih)
[ldap]  expand: ou=people,dc=unila,dc=ac,dc=id -> ou=people,dc=unila,dc=ac,dc=id
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,dc=unila,dc=ac,dc=id, with filter (uid=gigih)
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{SSHA}cxxxxxxx"
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user gigih authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "gigih" with password "passwordgue"
[ldap] user DN: uid=gigih,ou=people,dc=unila,dc=ac,dc=id
  [ldap] (re)connect to 192.168.1.25:389, authentication 1
  [ldap] bind as uid=gigih,ou=people,dc=unila,dc=ac,dc=id/passwordgue to 192.168.1.25:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user gigih authenticated succesfully
++[ldap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 104 to 127.0.0.1 port 61289
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 104 with timestamp +570
Ready to process requests.

Sedankan akses dengan akun yang gagal sebagai berikut

BGP-UNILA-MORATEL# radtest "gigih" "jajal" localhost 20 testing123
Sending Access-Request of id 145 to 127.0.0.1 port 1812
        User-Name = "gigih"
        User-Password = "jajal"
        NAS-IP-Address = 103.3.46.251
        NAS-Port = 20
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=145, length=20
BGP-UNILA-MORATEL#

Sampai disini anda sudah berhasil menggabungkan modul scheme database LDAP Zimbra kedalam radius server.

Semoga bermanfaat, Selamat mencoba.🙂

  1. jackops
    March 22, 2012 at 5:41 am

    wah keren om gigih.. lanjutkan berbagi nya ya..

  2. Satria
    November 19, 2012 at 12:50 pm

    mas bisa tolong lebih dijelaskan dibagian ini ::
    ldap {
    30 #
    31 # Note that this needs to match the name in the LDAP
    32 # server certificate, if you’re using ldaps.
    33 server = “IPADDRESSZIMBRASERVER”
    34 identity = “uid=zimbra,cn=admins,cn=zimbra”
    35 password = PASSWORDLDAPBINDZIMBRA
    36 basedn = “ou=people,dc=unila,dc=ac,dc=id”
    37 filter = “(uid=%{mschap:User-Name:-%{User-Name}})”

    saya masi kurang paham gmana maksud dan fungsi nya utk apa..?

    • January 10, 2013 at 5:22 am

      pada bagian server masukkan parameter IP Zimbra anda
      identity isinya=parameter uid,cn pada saat zimbra pertama kali diinstall
      password isinya=password bind ldap zimbra pada saat install pertama
      base dn=ou,dc

  3. candra
    August 23, 2013 at 4:12 pm

    nanya mas, password bind ldap zimbra itu apakah sama dengan password admin zimbra atau gmna?
    Mksh.

  4. adhi
    December 25, 2013 at 4:12 am

    permisi om saya ko dah coba selalu reject om autentifikasi setipa di radtest
    apa penyebab ya ya om saya pake ldap ya zimbra

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: