From 216bc43ef7a270925ac597806c06030354ba9149 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Tue, 19 Jul 2022 00:29:05 +0200 Subject: freeradius --- roles/freeradius/README.md | 23 ++++++++++++ roles/freeradius/defaults/main.yml | 17 +++++++++ roles/freeradius/handlers/main.yml | 6 ++++ roles/freeradius/tasks/main.yml | 58 ++++++++++++++++++++++++++++++ roles/freeradius/templates/clients.conf.j2 | 9 +++++ roles/freeradius/templates/ldap.j2 | 20 +++++++++++ 6 files changed, 133 insertions(+) create mode 100644 roles/freeradius/README.md create mode 100644 roles/freeradius/defaults/main.yml create mode 100644 roles/freeradius/handlers/main.yml create mode 100644 roles/freeradius/tasks/main.yml create mode 100644 roles/freeradius/templates/clients.conf.j2 create mode 100644 roles/freeradius/templates/ldap.j2 (limited to 'roles') diff --git a/roles/freeradius/README.md b/roles/freeradius/README.md new file mode 100644 index 0000000..8b67265 --- /dev/null +++ b/roles/freeradius/README.md @@ -0,0 +1,23 @@ +# freeradius + +freeradius with LDAP backend + +```yaml +--- +radius: + ldap: + server: 'ldap://ldap.example.com' + bind_user: 'uid=user,dc=example,dc=com' + bind_pwd: 'Password' + user_base: 'ou=users,dc=example,dc=com' + user_filter: '(uid=%{User-Name})' + clients: + - name: example + ip: '1.1.1.1' + secret: 'supersecret' + cert: + privkey: '/etc/ssl/private/ssl-cert-snakeoil.key' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + ca: '/etc/ssl/certs/ca-certificates.crt' + +``` diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml new file mode 100644 index 0000000..cc5dab5 --- /dev/null +++ b/roles/freeradius/defaults/main.yml @@ -0,0 +1,17 @@ +--- +radius: + ldap: + server: 'ldap://ldap.example.com' + bind_user: 'uid=user,dc=example,dc=com' + bind_pwd: 'Password' + user_base: 'ou=users,dc=example,dc=com' + user_filter: '(uid=%{User-Name})' + clients: + - name: asdfasdf + ip: '1.1.1.1' + secret: 'supersecret' + cert: + privkey: '/etc/ssl/private/ssl-cert-snakeoil.key' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + ca: '/etc/ssl/certs/ca-certificates.crt' + diff --git a/roles/freeradius/handlers/main.yml b/roles/freeradius/handlers/main.yml new file mode 100644 index 0000000..3a1e909 --- /dev/null +++ b/roles/freeradius/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: freeradius + systemd: + name: freeradius + state: restarted + become: yes diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml new file mode 100644 index 0000000..0144a25 --- /dev/null +++ b/roles/freeradius/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- name: Install packages + apt: + name: + - freeradius + - freeradius-ldap + become: yes + +- name: Install config + template: + src: ldap.j2 + dest: /etc/freeradius/3.0/mods-available/ldap + become: yes + notify: freeradius + +- name: Install clients + template: + src: clients.conf.j2 + dest: /etc/freeradius/3.0/clients.ansible.conf + become: yes + notify: freeradius + +- name: Clients + lineinfile: + path: /etc/freeradius/3.0/radiusd.conf + search_string: '$INCLUDE clients.ansible.conf' + line: '$INCLUDE clients.ansible.conf' + insertafter: '$INCLUDE clients.conf' + become: yes + notify: freeradius + +- name: Enable LDAP Authentication + file: + src: '/etc/freeradius/3.0/mods-available/ldap' + dest: '/etc/freeradius/3.0/mods-enabled/ldap' + state: 'link' + become: yes + notify: freeradius + +- name: Set EAP Certificate + lineinfile: + path: /etc/freeradius/3.0/mods-available/eap + search_string: '{{ item["s"] }}' + line: '{{ item["l"] }}' + insertafter: 'tls-config tls-common' + become: yes + notify: freeradius + loop: + - s: 'private_key_password' + l: '# private_key_password = notset' + - s: 'private_key_file =' + l: 'private_key_file = {{ radius.cert.privkey }}' + - s: 'certificate_file =' + l: 'certificate_file = {{ radius.cert.cert }}' + - s: 'ca_file =' + l: 'ca_file = {{ radius.cert.ca }}' + - s: 'check_crl =' + l: 'check_crl = no' diff --git a/roles/freeradius/templates/clients.conf.j2 b/roles/freeradius/templates/clients.conf.j2 new file mode 100644 index 0000000..edd03d3 --- /dev/null +++ b/roles/freeradius/templates/clients.conf.j2 @@ -0,0 +1,9 @@ +# vi: ft=conf + +{% for item in radius.clients %} +client {{ item.name }} { + ipaddr = {{ item.ip }} + secret = {{ item.secret }} +} + +{% endfor %} diff --git a/roles/freeradius/templates/ldap.j2 b/roles/freeradius/templates/ldap.j2 new file mode 100644 index 0000000..d7e10da --- /dev/null +++ b/roles/freeradius/templates/ldap.j2 @@ -0,0 +1,20 @@ +# vi: ft=conf +# This file is managed by Ansible. Manual changes will be reverted. + +ldap { + server = "{{ radius.ldap.server }}" + identity = "{{ radius.ldap.bind_user }}" + password = "{{ radius.ldap.bind_pwd }}" + user { + base_dn = "{{ radius.ldap.user_base }}" + filter = "{{ radius.ldap.user_filter }}" + } + sasl { + # This block needs to exist, but can be empty. + # SASL mechanism + #mech = 'PLAIN' + } + update { + control:Password-With-Header += 'userPassword' + } +} -- cgit v1.2.3