Differences

This shows you the differences between two versions of the page.

--- radius_ipa [2025/07/26 17:09] – - Imported by DokuWiki Advanced Plugin wikiadm
+++ radius_ipa [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== FreeRADIUS ======
-===== Alterar o hash padrão do FreeIPA =====
-<code bash>
-# echo "dn: cn=config
-changetype: modify
-replace: passwordStorageScheme
-passwordStorageScheme: SSHA512" > passwordHashAlgorithm.ldif
-</code>
-<code bash>
-# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
-Enter LDAP Password:
-passwordStorageScheme: PBKDF2_SHA256
-</code>
-<code bash>
-# ldapmodify -h localhost -p 389 -x -D "cn=Directory Manager" -W -f passwordHashAlgorithm.ldif
-Enter LDAP Password:
-modifying entry "cn=config"
-</code>
-<code bash>
-# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -x -D "cn=Directory Manager" -W -b "cn=config" | grep passwordStorageScheme
-Enter LDAP Password:
-passwordStorageScheme: SSHA512
-</code>
-===== Adicionado o host =====
-<code bash>
-# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --a-rec 172.28.129.6
-  Record name: sp-spo-radius
-  A record: 172.28.129.6
-</code>
-<code bash>
-# ipa dnsrecord-add juntotelecom.com.br sp-spo-radius --aaaa-rec 2804:694:4c00:4004::6
-  Record name: sp-spo-radius
-  A record: 172.28.129.6
-  AAAA record: 2804:694:4c00:4004::6
-</code>
-<code bash>
-# ipa host-add sp-spo-radius.juntotelecom.com.br --desc="FreeRADIUS" --password="@btjt(())22"
-----------------------------------------------
-Added host "sp-spo-radius.juntotelecom.com.br"
-----------------------------------------------
-  Host name: sp-spo-radius.juntotelecom.com.br
-  Description: FreeRADIUS
-  Password: True
-  Keytab: False
-  Managed by: sp-spo-radius.juntotelecom.com.br
-</code>
-===== Permissão do usuário radiusadm =====
-<code bash>
-# ipa permission-add 'userPassword service read' --attrs=userPassword --type=user --right=read
---------------------------------------------
-Added permission "userPassword service read"
---------------------------------------------
-  Permission name: userPassword service read
-  Granted rights: read
-  Effective attributes: userPassword
-  Bind rule type: permission
-  Subtree: cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br
-  Type: user
-  Permission flags: SYSTEM, V2
-</code>
-<code bash>
-# ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate'
----------------------------------
-Added privilege "Radius services"
----------------------------------
-  Privilege name: Radius services
-  Description: Privileges needed to allow radiusd servers to operate
-</code>
-<code bash>
-# ipa privilege-add-permission 'Radius services' --permissions='userPassword service read'
-  Privilege name: Radius services
-  Description: Privileges needed to allow radiusd servers to operate
-  Permissions: userPassword service read
------------------------------
-Number of permissions added 1
------------------------------
-</code>
-<code bash>
-# ipa role-add 'Radius server' --desc="Radius server role"
---------------------------
-Added role "Radius server"
---------------------------
-  Role name: Radius server
-  Description: Radius server role
-</code>
-<code bash>
-# ipa role-add-privilege --privileges="Radius services" 'Radius server'
-  Role name: Radius server
-  Description: Radius server role
-  Privileges: Radius services
-----------------------------
-Number of privileges added 1
-----------------------------
-</code>
-<code bash>
-# yes "@btjt(())22" | ipa user-add "radiusadm" --first=Radius --last=User --shell=/bin/bash --password
-----------------------
-Added user "radiusadm"
-----------------------
-  User login: radiusadm
-  First name: Radius
-  Last name: User
-  Full name: Radius User
-  Display name: Radius User
-  Initials: RU
-  Home directory: /home/radiusadm
-  GECOS: Radius User
-  Login shell: /bin/bash
-  Principal name: radiusadm@JUNTOTELECOM.COM.BR
-  Principal alias: radiusadm@JUNTOTELECOM.COM.BR
-  User password expiration: 20220412204350Z
-  Email address: radiusadm@juntotelecom.com.br
-  UID: 187600003
-  GID: 187600003
-  Password: True
-  Member of groups: ipausers
-  Kerberos keys available: True
-</code>
-<code bash>
-# ipa user-mod "radiusadm" --user-auth-type=password --user-auth-type=radius
--------------------------
-Modified user "radiusadm"
--------------------------
-  User login: radiusadm
-  First name: Radius
-  Last name: User
-  Home directory: /home/radiusadm
-  Login shell: /bin/bash
-  Principal name: radiusadm@JUNTOTELECOM.COM.BR
-  Principal alias: radiusadm@JUNTOTELECOM.COM.BR
-  Email address: radiusadm@juntotelecom.com.br
-  UID: 187600003
-  GID: 187600003
-  User authentication types: password, radius
-  Account disabled: False
-  Password: True
-  Member of groups: ipausers
-  Kerberos keys available: True
-</code>
-<code bash>
-# yes "@btjt(())22" | ipa user-mod "radiusadm" --password-expiration="2050-01-01Z" --password
--------------------------
-Modified user "radiusadm"
--------------------------
-  User login: radiusadm
-  First name: Radius
-  Last name: User
-  Home directory: /home/radiusadm
-  Login shell: /bin/bash
-  Principal name: radiusadm@JUNTOTELECOM.COM.BR
-  Principal alias: radiusadm@JUNTOTELECOM.COM.BR
-  User password expiration: 20220412204516Z
-  Email address: radiusadm@juntotelecom.com.br
-  UID: 187600003
-  GID: 187600003
-  User authentication types: password, radius
-  Account disabled: False
-  Password: True
-  Member of groups: ipausers
-  Kerberos keys available: True
-</code>
-<code bash>
-# ipa role-add-member 'Radius server' --users='radiusadm'
-  Role name: Radius server
-  Description: Radius server role
-  Member users: radiusadm
-  Privileges: Radius services
--------------------------
-Number of members added 1
--------------------------
-</code>
-<code bash>
-# ipa user-show radiusadm --all --raw
-  dn: uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br
-  uid: radiusadm
-  givenname: Radius
-  sn: User
-  cn: Radius User
-  initials: RU
-  homedirectory: /home/radiusadm
-  gecos: Radius User
-  loginshell: /bin/bash
-  krbcanonicalname: radiusadm@JUNTOTELECOM.COM.BR
-  krbprincipalname: radiusadm@JUNTOTELECOM.COM.BR
-  mail: radiusadm@juntotelecom.com.br
-  uidnumber: 187600003
-  gidnumber: 187600003
-  ipauserauthtype: password
-  ipauserauthtype: radius
-  nsaccountlock: FALSE
-  has_password: TRUE
-  has_keytab: TRUE
-  displayName: Radius User
-  ipaNTSecurityIdentifier: S-1-5-21-2731924211-1883941829-2112701219-1003
-  ipaUniqueID: 42e05e52-baa1-11ec-a438-000c29ad9330
-  krbExtraData: AALc5FVicm9vdC9hZG1pbkBKVU5UT1RFTEVDT00uQ09NLkJSAA==
-  krbLastPwdChange: 20220412204516Z
-  krbPasswordExpiration: 20220412204516Z
-  memberof: cn=Radius server,cn=roles,cn=accounts,dc=juntotelecom,dc=com,dc=br
-  memberof: cn=ipausers,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
-  memberofindirect: cn=userPassword service read,cn=permissions,cn=pbac,dc=juntotelecom,dc=com,dc=br
-  memberofindirect: cn=Radius services,cn=privileges,cn=pbac,dc=juntotelecom,dc=com,dc=br
-  mepManagedEntry: cn=radiusadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
-  objectClass: top
-  objectClass: person
-  objectClass: organizationalperson
-  objectClass: inetorgperson
-  objectClass: inetuser
-  objectClass: posixaccount
-  objectClass: krbprincipalaux
-  objectClass: krbticketpolicyaux
-  objectClass: ipaobject
-  objectClass: ipasshuser
-  objectClass: ipaSshGroupOfPubKeys
-  objectClass: mepOriginEntry
-  objectClass: ipantuserattrs
-  objectClass: ipauserauthtypeclass
-</code>
-===== Instalação FreeRADIUS =====
-<code bash>
-# cat <<EOF | tee -a /etc/hosts
-.28.129.6	sp-spo-radius.juntotelecom.com.br	sp-spo-radius
-.75.187.213  sp-spo-ipa.juntotelecom.com.br	sp-spo-ipa
-:694:4c00:4004::6   sp-spo-radius.juntotelecom.com.br       sp-spo-radius
-:694:4c00:4001::13  sp-spo-ipa.juntotelecom.com.br  sp-spo-ipa
-EOF
-</code>
-<code bash>
-# hostnamectl set-hostname sp-spo-radius.juntotelecom.com.br
-</code>
-<code bash>
-# echo "krb5-config krb5-config/kerberos_servers string
-krb5-config krb5-config/add_servers_realm string JUNTOTELECOM.COM.BR
-krb5-config krb5-config/default_realm string JUNTOTELECOM.COM.BR
-krb5-config krb5-config/add_servers boolean false
-krb5-config krb5-config/admin_server string
-krb5-config krb5-config/read_conf boolean true
-libpam-runtime libpam-runtime/override boolean false
-libpam-runtime libpam-runtime/profiles multiselect pwquality, unix, sss, systemd, gnome-keyring, capability" | debconf-set-selections
-</code>
-<code bash>
-# apt-get install freeradius freeradius-ldap freeradius-utils sudo patch
-</code>
-<code bash>
-# echo "deb http://deb.debian.org/debian bullseye-backports main" > /etc/apt/sources.list.d/bullseye-backports.list
-</code>
-<code bash>
-# apt-get update
-</code>
-<code bash>
-# DEBIAN_FRONTEND=noninteractive apt-get install -t bullseye-backports freeipa-client
-</code>
-<code bash>
-# yes yes | ipa-client-install --ntp-server=sp-spo-ipa.juntotelecom.com.br --domain=juntotelecom.com.br --enable-dns-updates --password="@btjt(())22" --realm=JUNTOTELECOM.COM.BR --server=sp-spo-ipa.juntotelecom.com.br
-This program will set up IPA client.
-Version 4.9.8
-WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
-Autodiscovery of servers for failover cannot work with this configuration.
-If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
-Proceed with fixed values and no DNS discovery? [no]: Client hostname: sp-spo-radius.juntotelecom.com.br
-Realm: JUNTOTELECOM.COM.BR
-DNS Domain: juntotelecom.com.br
-IPA Server: sp-spo-ipa.juntotelecom.com.br
-BaseDN: dc=juntotelecom,dc=com,dc=br
-NTP server: sp-spo-ipa.juntotelecom.com.br
-Continue to configure the system with these values? [no]: Synchronizing time
-Augeas failed to configure file /etc/chrony/chrony.conf
-Using default chrony configuration.
-Attempting to sync time with chronyc.
-Time synchronization was successful.
-Do you want to download the CA cert from http://sp-spo-ipa.juntotelecom.com.br/ipa/config/ca.crt ?
-(this is INSECURE) [no]: Successfully retrieved CA cert
-    Subject:     CN=Certificate Authority,O=JUNTOTELECOM.COM.BR
-    Issuer:      CN=Certificate Authority,O=JUNTOTELECOM.COM.BR
-    Valid From:  2022-04-12 19:45:00
-    Valid Until: 2042-04-12 19:45:00
-Enrolled in IPA realm JUNTOTELECOM.COM.BR
-Created /etc/ipa/default.conf
-Configured /etc/sssd/sssd.conf
-Configured /etc/krb5.conf for IPA realm JUNTOTELECOM.COM.BR
-Systemwide CA database updated.
-Hostname (sp-spo-radius.juntotelecom.com.br) does not have A/AAAA record.
-Failed to update DNS records.
-Missing A/AAAA record(s) for host sp-spo-radius.juntotelecom.com.br: 172.28.129.6, 2804:694:4c00:4004::6.
-Missing reverse record(s) for address(es): 172.28.129.6, 2804:694:4c00:4004::6.
-Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
-Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
-Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
-Could not update DNS SSHFP records.
-SSSD enabled
-Configured /etc/openldap/ldap.conf
-Principal is not set when enrolling with OTP; using principal 'admin@juntotelecom.com.br' for 'getent passwd'
-Configured /etc/ssh/ssh_config
-Configured /etc/ssh/sshd_config.d/04-ipa.conf
-Configuring juntotelecom.com.br as NIS domain.
-Client configuration complete.
-The ipa-client-install command was successful
-</code>
-<code bash>
-# cp -p /etc/sssd/sssd.conf{,.dist}
-# sed -i '/^\[domain\/.*]$/a enumerate = true' /etc/sssd/sssd.conf
-# systemctl restart sssd
-</code>
-<code bash>
-# cp -p /etc/freeradius/3.0/mods-available/ldap{,.dist}
-# pushd /etc/freeradius/3.0/mods-enabled
-# ln -s ../mods-available/ldap .
-</code>
-<code bash>
-# sed -i -e "s#'localhost'#'sp-spo-ipa.juntotelecom.com.br'#g" -e "s#'dc=example,dc=org'#'cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'#g" ldap
-# sed -i "s/#[[:blank:]]*identity = .*/\tidentity = 'uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br'/" ldap
-# sed -i "s/#[[:blank:]]*password = .*/\tpassword = '@btjt(())22'/" ldap
-</code>
-<code bash>
-# cp -p /etc/freeradius/3.0/sites-available/default{,.dist}
-</code>
-<code bash>
-# pushd /etc/freeradius/3.0/sites-enabled
-/etc/freeradius/3.0/sites-enabled ~
-</code>
-<code bash>
-# sed -i 's/-ldap/ldap/' default
-</code>
-<code bash>
-echo '526,528c526,528
-< #	Auth-Type LDAP {
-< #		ldap
-< #	}
----
-> 	Auth-Type LDAP {
-> 		ldap
-> 	}' | patch default
-</code>
-<code bash>
-# popd
-~
-root@sp-spo-radius:~#
-</code>
-<code bash>
-# rm /etc/freeradius/3.0/sites-enabled/default.orig
-# systemctl restart freeradius.service
-</code>
-===== Testando a autenticação =====
-<code bash>
-# ldapsearch -h sp-spo-ipa.juntotelecom.com.br -p 389 -v -b 'dc=juntotelecom,dc=com,dc=br' -D "uid=radiusadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" -W -LLL
-</code>
-<code bash>
-# yes test | ipa user-add "radiustest" --first=Radius --last=Test --shell=/usr/bin/false --password
------------------------
-Added user "radiustest"
------------------------
-  User login: radiustest
-  First name: Radius
-  Last name: Test
-  Full name: Radius Test
-  Display name: Radius Test
-  Initials: RT
-  Home directory: /home/radiustest
-  GECOS: Radius Test
-  Login shell: /usr/bin/false
-  Principal name: radiustest@JUNTOTELECOM.COM.BR
-  Principal alias: radiustest@JUNTOTELECOM.COM.BR
-  User password expiration: 20220412213118Z
-  Email address: radiustest@juntotelecom.com.br
-  UID: 187600004
-  GID: 187600004
-  Password: True
-  Member of groups: ipausers
-  Kerberos keys available: True
-</code>
-<code bash>
-# ipa user-mod radiustest --password-expiration="2050-01-01Z" --user-auth-type=password --user-auth-type=radius
---------------------------
-Modified user "radiustest"
---------------------------
-  User login: radiustest
-  First name: Radius
-  Last name: Test
-  Home directory: /home/radiustest
-  Login shell: /usr/bin/false
-  Principal name: radiustest@JUNTOTELECOM.COM.BR
-  Principal alias: radiustest@JUNTOTELECOM.COM.BR
-  User password expiration: 20500101000000Z
-  Email address: radiustest@juntotelecom.com.br
-  UID: 187600004
-  GID: 187600004
-  User authentication types: password, radius
-  Account disabled: False
-  Password: True
-  Member of groups: ipausers
-  Kerberos keys available: True
-</code>
-<code bash>
-# systemctl stop freeradius.service
-# sudo -u freerad freeradius -fxX
-</code>
-<code bashs>
-~$ radtest radiustest test 127.0.0.1 0 testing123
-Sent Access-Request Id 30 from 0.0.0.0:59482 to 127.0.0.1:1812 length 80
-        User-Name = "radiustest"
-        User-Password = "test"
-        NAS-IP-Address = 172.28.129.6
-        NAS-Port = 0
-        Message-Authenticator = 0x00
-        Cleartext-Password = "test"
-Received Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 20
-</code>
-<code bash>
-Tue Apr 12 18:36:06 2022 : Debug: (0) Received Access-Request Id 30 from 127.0.0.1:59482 to 127.0.0.1:1812 length 80
-Tue Apr 12 18:36:06 2022 : Debug: (0)   User-Name = "radiustest"
-Tue Apr 12 18:36:06 2022 : Debug: (0)   User-Password = "test"
-Tue Apr 12 18:36:06 2022 : Debug: (0)   NAS-IP-Address = 172.28.129.6
-Tue Apr 12 18:36:06 2022 : Debug: (0)   NAS-Port = 0
-Tue Apr 12 18:36:06 2022 : Debug: (0)   Message-Authenticator = 0xb14fe3c0f0e4be30e99922378beefed4
-Tue Apr 12 18:36:06 2022 : Debug: (0) session-state: No State attribute
-Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
-Tue Apr 12 18:36:06 2022 : Debug: (0)   authorize {
-Tue Apr 12 18:36:06 2022 : Debug: (0)     policy filter_username {
-Tue Apr 12 18:36:06 2022 : Debug: (0)       if (&User-Name) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)       if (&User-Name)  -> TRUE
-Tue Apr 12 18:36:06 2022 : Debug: (0)       if (&User-Name)  {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ / /) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ / /)  -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /@[^@]*@/ ) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /\.\./ ) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /\.\./ )  -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /\.$/)  {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /\.$/)   -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /@\./)  {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         if (&User-Name =~ /@\./)   -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)       } # if (&User-Name)  = notfound
-Tue Apr 12 18:36:06 2022 : Debug: (0)     } # policy filter_username = notfound
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling preprocess (rlm_preprocess)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [preprocess] = ok
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling chap (rlm_chap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from chap (rlm_chap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [chap] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling mschap (rlm_mschap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from mschap (rlm_mschap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [mschap] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling digest (rlm_digest)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from digest (rlm_digest)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [digest] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling suffix (rlm_realm)
-Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: Checking for suffix after "@"
-Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No '@' in User-Name = "radiustest", looking up realm NULL
-Tue Apr 12 18:36:06 2022 : Debug: (0) suffix: No such realm "NULL"
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from suffix (rlm_realm)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [suffix] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling eap (rlm_eap)
-Tue Apr 12 18:36:06 2022 : Debug: (0) eap: No EAP-Message, not doing EAP
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from eap (rlm_eap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [eap] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling files (rlm_files)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from files (rlm_files)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [files] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling ldap (rlm_ldap)
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 126 seconds
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba41f70
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 126 seconds
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba38e60
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 126 seconds
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba50eb0
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 126 seconds
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba508b0
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 126 seconds
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): You probably need to lower "min"
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap: Closing libldap handle 0x56106ba5c010
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba5c010
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result...
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Reserved connection (5)
-Tue Apr 12 18:36:06 2022 : Debug: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
-Tue Apr 12 18:36:06 2022 : Debug: Parsed xlat tree:
-Tue Apr 12 18:36:06 2022 : Debug: literal --> (uid=
-Tue Apr 12 18:36:06 2022 : Debug: XLAT-IF {
-Tue Apr 12 18:36:06 2022 : Debug:       attribute --> Stripped-User-Name
-Tue Apr 12 18:36:06 2022 : Debug: }
-Tue Apr 12 18:36:06 2022 : Debug: XLAT-ELSE {
-Tue Apr 12 18:36:06 2022 : Debug:       attribute --> User-Name
-Tue Apr 12 18:36:06 2022 : Debug: }
-Tue Apr 12 18:36:06 2022 : Debug: literal --> )
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap:    --> (uid=radiustest)
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Performing search in "cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br" with filter "(uid=radiustest)", scope "sub"
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Waiting for search result...
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: User object found at DN "uid=radiustest,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br"
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Processing user attributes
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: control:Password-With-Header += '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq'
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusControlAttribute" not found in LDAP object
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusRequestAttribute" not found in LDAP object
-Tue Apr 12 18:36:06 2022 : Debug: (0) ldap: Attribute "radiusReplyAttribute" not found in LDAP object
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Released connection (5)
-Tue Apr 12 18:36:06 2022 : Info: Need 2 more connections to reach min connections (3)
-Tue Apr 12 18:36:06 2022 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Connecting to ldap://sp-spo-ipa.juntotelecom.com.br:389
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): New libldap handle 0x56106ba39000
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Waiting for bind result...
-Tue Apr 12 18:36:06 2022 : Debug: rlm_ldap (ldap): Bind successful
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from ldap (rlm_ldap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [ldap] = updated
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling expiration (rlm_expiration)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from expiration (rlm_expiration)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [expiration] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling logintime (rlm_logintime)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from logintime (rlm_logintime)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [logintime] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: calling pap (rlm_pap)
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Converted: &control:Password-With-Header = '{SSHA512}669DM1uaEIJS1SimK9lMk9wD1KC+kp47tQ1B0w5IZxzkqtH/Vp1aJUvVtJFSQpTDMObp+ZS0jsMqy/C9pCsPq/sXJhMk2Joq' -> &control:SSHA2-512-Password = '0x363639444d31756145494a533153696d4b396c4d6b397744314b432b6b70343774513142307735495a787a6b7174482f567031614a557656744a4653517054444d4f62702b5a53306a734d71792f433970437350712f73584a684d6b324a6f71'
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Removing &control:Password-With-Header
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -> 72 bytes
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authorize]: returned from pap (rlm_pap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [pap] = updated
-Tue Apr 12 18:36:06 2022 : Debug: (0)   } # authorize = updated
-Tue Apr 12 18:36:06 2022 : Debug: (0) Found Auth-Type = PAP
-Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
-Tue Apr 12 18:36:06 2022 : Debug: (0)   Auth-Type PAP {
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authenticate]: calling pap (rlm_pap)
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Login attempt with password "test" (4)
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: Comparing with "known-good" SSHA2-512-Password
-Tue Apr 12 18:36:06 2022 : Debug: (0) pap: User authenticated successfully
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[authenticate]: returned from pap (rlm_pap)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [pap] = ok
-Tue Apr 12 18:36:06 2022 : Debug: (0)   } # Auth-Type PAP = ok
-Tue Apr 12 18:36:06 2022 : Debug: (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
-Tue Apr 12 18:36:06 2022 : Debug: (0)   post-auth {
-Tue Apr 12 18:36:06 2022 : Debug: (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)     update {
-Tue Apr 12 18:36:06 2022 : Debug: (0)       No attributes updated for RHS &session-state:
-Tue Apr 12 18:36:06 2022 : Debug: (0)     } # update = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[post-auth]: calling exec (rlm_exec)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     modsingle[post-auth]: returned from exec (rlm_exec)
-Tue Apr 12 18:36:06 2022 : Debug: (0)     [exec] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     policy remove_reply_message_if_eap {
-Tue Apr 12 18:36:06 2022 : Debug: (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
-Tue Apr 12 18:36:06 2022 : Debug: (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
-Tue Apr 12 18:36:06 2022 : Debug: (0)       else {
-Tue Apr 12 18:36:06 2022 : Debug: (0)         modsingle[post-auth]: calling noop (rlm_always)
-Tue Apr 12 18:36:06 2022 : Debug: (0)         modsingle[post-auth]: returned from noop (rlm_always)
-Tue Apr 12 18:36:06 2022 : Debug: (0)         [noop] = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)       } # else = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)     } # policy remove_reply_message_if_eap = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0)   } # post-auth = noop
-Tue Apr 12 18:36:06 2022 : Debug: (0) Sent Access-Accept Id 30 from 127.0.0.1:1812 to 127.0.0.1:59482 length 0
-Tue Apr 12 18:36:06 2022 : Debug: (0) Finished request
-Tue Apr 12 18:36:06 2022 : Debug: Waking up in 4.9 seconds.
-Tue Apr 12 18:36:11 2022 : Debug: (0) Cleaning up request packet ID 30 with timestamp +126
-Tue Apr 12 18:36:11 2022 : Info: Ready to process requests
-</code>
-===== Configuração do arquivo clients =====
-<code bash>
-# cp -p /etc/freeradius/3.0/clients.conf{,.dist}
-</code>
-<code bash>
-# cat /etc/freeradius/3.0/clients.conf
-client localhost {
-        ipaddr = 127.0.0.1
-        proto = *
-        secret = testing123
-        require_message_authenticator = no
-        #  Permitted NAS types are:
-        #
-        #       cisco
-        #       computone
-        #       livingston
-        #       juniper
-        #       max40xx
-        #       multitech
-        #       netserver
-        #       pathras
-        #       patton
-        #       portslave
-        #       tc
-        #       usrhiper
-        #       other           # for all other types
-        #
-        nas_type         = other        # localhost isn't usually a NAS...
-        #
-        limit {
-                max_connections = 16
-                lifetime = 0
-                idle_timeout = 30
-        }
-}
-# IPv6 Client
-client localhost_ipv6 {
-        ipv6addr        = ::1
-        secret          = testing123
-}
-# JuntoTelecom
-client bloco_ipv6 {
-        ipv6addr        = 2804:694::/32
-        secret          = R4d10S
-}
-client private-network-1 {
-        ipaddr          = 10.0.0.0/8
-        secret          = Yosh1@nintend0
-}
-client private-network-2 {
-        ipaddr          = 172.16.0.0/12
-        secret          = R4d10S
-}
-client private-network-3 {
-        ipaddr          = 192.168.0.0/16
-        secret          = R4d10S
-}
-client bloco_public {
-        ipaddr          = 177.75.176.0/20
-        secret          = Yosh1@nintend0
-}
-client rondonopolis_internet {
-        ipaddr          = 179.220.65.181/32
-        secret          = Yosh1@nintend0
-}
-</code>
-===== Configuração arquivo users =====
-<code bash>
-# cp -p /etc/freeradius/3.0/mods-config/files/authorize{,.dist}
-</code>
-<code bash>
-# cat /etc/freeradius/3.0/users
-# examples.
-#
-#bob    Cleartext-Password := "hello"
-#       Reply-Message := "Hello, %{User-Name}"
-#
-# Inicío JuntoTelecom - FreeIPA
-# Exemplo de uso sem autenticação
-#awx_user Cleartext-Password := "$4l03_V3r@"
-#        Service-Type = NAS-Prompt-User,
-#        Juniper-Local-User-Name := "remote",
-#        Huawei-Exec-Privilege = "15",
-#        Cisco-AVPair = "shell:priv-lvl=15"
-# Grupo com permissão de excrita
-DEFAULT Ldap-Group == "cn=radiusgpadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br"
-        Service-Type = NAS-Prompt-User,
-        Juniper-Local-User-Name := "remote",
-        Huawei-Exec-Privilege = "15",
-        Cisco-AVPair = "shell:priv-lvl=15"
-# Grupo com permissão de leitura
-DEFAULT Ldap-Group == "cn=radiusgpmgm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br"
-        Service-Type = NAS-Prompt-User,
-        Juniper-Local-User-Name := "remote",
-        Huawei-Exec-Privilege = "15",
-        Cisco-AVPair = "shell:priv-lvl=3"
-DEFAULT Auth-Type := Reject
-# Fim JuntoTelecom - FreeIPA
-#
-DEFAULT Framed-Protocol == PPP
-        Framed-Protocol = PPP,
-        Framed-Compression = Van-Jacobson-TCP-IP
-#
-# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
-#
-DEFAULT Hint == "CSLIP"
-        Framed-Protocol = SLIP,
-        Framed-Compression = Van-Jacobson-TCP-IP
-#
-# Default for SLIP: dynamic IP address, SLIP mode.
-#
-DEFAULT Hint == "SLIP"
-        Framed-Protocol = SLIP
-#
-</code>
-<code bash>
-# systemctl restart freeradius
-</code>
-===== Referência =====
-  * https://goos-habermann.de/re/22/FreeIPA-Client_auf_Debian11/#1
-  * https://goos-habermann.de/re/21/FreeIPA+FreeRADIUS/#1
-  * https://goos-habermann.de/re2021-FreeIPA/index.html#1
-  * https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
-  * https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
-  * https://ilcofon.net/index.php/2018/01/05/wifi-authenticate-with-radius-and-freeipa/