在 Linux 上建構一個 RADIUS 伺服器
Build a RADIUS server on Linux
將遠端網路登入集中化並保證其安全
Centralize and secure your remote network login s
2005 年 6 月 23 日
作為一名網路管理員,您需要為您所需管理的每個網路設備存放用於管理的用戶資訊。但是網路設備通常只支援有限的用戶管理功能。學習如何使用 Linux™ 上的一個外部 RADIUS 伺服器來驗證用戶,具體來說是透過一個 LDAP 伺服器進行驗證,可以集中放置儲存在 LDAP 伺服器上並且由 RADIUS 伺服器進行驗證的用戶資訊,從而既可以減少用戶管理上的管理開銷,又可以使遠端登入過程更加安全。
Summary: As a network administrator, you need to keep administrative user information for each network device you need to manage. But network devices usually support only limited functions for user management. Learn how to use an external RADIUS server on Linux™ to authenticate users, particularly against an LDAP server, allowing you to centralize user information stored in the LDAP server and authenticated by the RADIUS server, thereby both reducing administrative overhead on user management and making the remote login process more secure.
資料安全作為現代系統中網路安全的一部分,與系統安全一樣的重要,所以保護資料 —— 確保提供機密性、完整性和可用性 —— 對管理員來說至關重要。
Data security is as important a component of network security to contemporary systems as systems security is, so protecting your data -- making sure you provide confidentiality, integrity, and availability -- is a paramount concern to administrators.
在本文中,我將談到資料安全性的機密性方面:確保受保護的資料只能被授權用戶或系統存取。您將學習如何在 Linux 系統上建立和配置一個 Remote Authentication Dial-In User Service 伺服器(RADIUS),以執行對用戶的驗證、授權和記費(AAA)。
In this article, I will address the confidentiality aspect of data security: Making sure protected data can only be accessed by authorized people or systems. You'll learn how to set up and configure a Remote Authentication Dial-In User Service server (RADIUS) on a Linux system to perform authentication, authorization, and accounting (AAA) for users.
各組成元素介紹
首先讓我們談一談 RADIUS 協定、AAA 元件以及它們如何工作,另外還有 LDAP 協定。
Let's start by talking about the RADIUS protocol, the AAA components and how they work, and the LDAP protocol.
Remote Authentication Dial-In User Service 協定是在 IETF 的 RFC 2865 中定義的(請參閱
參考資料 獲 得相關鏈結)。它允許網路存取伺服器(NAS)執行對用戶的驗證、授權和記費。RADIUS 是基於 UDP 的一種用戶端/伺服器協定。RADIUS 用戶端是網路存取伺服器,它通常是一個路由器、交換機或無線存取點(存取點是網路上專門配置的節點;WAP 是無線版本)。RADIUS 伺服器通常是在 UNIX 或 Windows 2000 伺服器上運行的一個監護程式。
The Remote Authentication Dial-In User Service protocol is defined in the IETF's RFC 2865 (see Resources
for a link). It allows a network access server (NAS) to perform authentication, authorization, and accounting for users. RADIUS is a client/server protocol based on UDP. The RADIUS client, the network access server, is typically a router, switch, or wireless access point (access points are specially configured nodes on networks; WAPs are wireless versions). The RADIUS server is usually a daemon process running on a UNIX or Windows 2000 server.
RADIUS 和 AAA
如果 NAS 收到用戶連接請求,它會將它們傳遞到指定的 RADIUS 伺服器,後者對用戶進行驗證,並將用戶的配置資訊回傳給 NAS。然後,NAS 接受或拒絕連接請求。
If the NAS receives user-connection requests, it passes them to the designated RADIUS server which authenticates the user and returns the user's configuration information to the NAS. Then, the NAS accepts or rejects the connection requests.
功能完整的 RADIUS 伺服器可以支援很多不同的用戶驗證機制,除了 LDAP 以外,還包括:
A full-featured RADIUS server can support a variety of mechanisms to authenticate users in addition to LDAP, including
- PAP(Password Authentication Protocol,密碼驗證協定,與 PPP 一起使用,在此機制下,密碼以明文形式被發送到用戶端進行比較);PAP (Password Authentication Protocol, used with PPP in which the password is sent to the client as clear text for comparison);
-
CHAP(Challenge Handshake Authentication Protocol,挑戰交握驗證協定,比 PAP 更安全,它同時使用用戶名和密碼);CHAP (Challenge Handshake Authentication Protocol, more secure than PAP, it uses a username and password); - 本地 UNIX/Linux 系統密碼資料庫(/etc/passwd);the local UNIX/Linux system password database (/etc/passwd);
- 其他本地資料庫。other local databases.
在 RADIUS 中,驗證和授權是組合在一起的。如果發現了用戶名,並且密碼正確,那麼 RADIUS 伺服器將回傳一個 Access-Accept 回應,其中包括一些參數(屬性-值對),以保證對該用戶的存取。這些參數是在 RADIUS 中配置的,包括存取類型、協定類型、用戶指定該用戶的 IP 位址以及一個存取控制列表(ACL)或要在 NAS 上應用的靜態路由,另外還有其他一些值。
Authentication and authorization are combined together in RADIUS. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response including some parameters (attribute-value pairs) that grants access to the user. These parameters are configured in RADIUS and include service type, protocol type, IP address to assign the user, an access control list (ACL) or a static route to apply on the NAS, as well as other values.
RADIUS 記費特性(在 RFC 2866 中定義;請參閱 參考資料 獲得相關鏈結)允許在連接 session 的開始和結束髮送資料,表明在 session 期間使用的可能用於安全或計費(billing)需要的大量資源 —— 例如時間、封包和位元組。
RADIUS accounting features (as defined in RFC 2866; see Resources for a link) allow data to be sent at the start and end of connection sessions, indicating the amount of resources -- such as time, packets, and bytes -- used during the session which might be used for security or billing needs.
羽量級目錄存取協定 Lightweight Directory Access Protocol
羽量級目錄存取協定(Lightweight Directory Access Protocol,LDAP)是一種開放標準,它定義了用於存取和更新類 X.500 目錄中資訊的一種方法。LDAP 可用於將用戶資訊保存在一個中央場所,從而不必將相同的資訊儲存在每個系統上。它還可以用於以一種一致的、可控制的方式維護和存取資訊。
The Lightweight Directory Access Protocol (LDAP) is an open standard that defines a method for accessing and updating information in a X.500-like directory. LDAP can be used to keep user information in a central locale to avoid having to store identical user information on each system; it can also be used to maintain and access the information in a consistent and controlled manner.
LDAP 在一個集中的目錄中管理用戶,從而簡化了用戶管理工作。除了儲存用戶資訊外,在 LDAP 中定義用戶還可以使一些可選特性得到啟用,例如限制登入的數量。在本文中,您將學習如何配置 RADIUS 伺服器,以便基於 LDAP 驗證用戶 —— 由於本文的重點在於 RADIUS,我不會描述關於 LDAP 伺服器的安裝和配置的細節。 OpenLDAP 是 LDAP 的一種開放源碼實作。在 OpenLDAP.org 上可以找到關於它的詳細資訊(請參閱
參考資料 獲得相關鏈結)。
LDAP simplifies user administration tasks by managing users in a central directory. In addition to storing user information, defining users in LDAP allows for such optional features as limiting the number of logins. In this article you'll learn how a RADIUS server is configured to authenticate users against LDAP -- since the article focuses on RADIUS, I will not describe the details on the installation and configuration of an LDAP server.OpenLDAP is an open source implementation of LDAP; you can find detailed information on it at OpenLDAP.org (see Resourcesfor a link).
場景 The scenario
想像以下場景:
Imagine the following scenario:
- 用戶在家裡可以透過撥號驗證存取他公司的內部網。 The user at home can access his company's intranet by dial-up authentication.
- 帶無線支援的筆記本電腦可以透過無線驗證連接到一個校園網。 Wireless-enabled laptops can be connected to a campus network by wireless authentication.
- 管理員使用他們的工作站透過管理用戶驗證以 telnet 或 HTTP 登入到網路設備。 Administrators use their workstations to log into network devices via telnet or HTTP via administrative user authentication.
所有這些驗證任務都可以透過一個 RADIUS 伺服器基於一個中央 LDAP 伺服器來完成(見圖 1)。
All the these authentication tasks can be done by a RADIUS server against a central LDAP server (see Figure 1).
圖 1. 透過 RADIUS 和 LDAP 進行驗證 Authentication via RADIUS and LDAP
在本文中,我將重點描述對最後一種選項的實作,作為對該解決方案的一個介紹。首先安裝 RADIUS 伺服器。
In this article, I'll focus on implementing the last option as an introduction to the solution. Let's start by installing the RADIUS server.
安裝 RADIUS Installing RADIUS
RADIUS 伺服器軟體可以從多個地方獲得。在本文中,我將使用 FreeRADIUS(請參閱 參考資料 獲 得相關鏈結),但 Cisco Secure Access Control Server (ACS) 是一種集中式用戶存取控制框架,可用於跨 UNIX 和 Windows 上多個 Cisco 設備的用戶管理,並支援 Cisco 特有的協定 TACACS+(據說在支援 TACACS+ 的設備上可擁有更多的特性)。
RADIUS server software can be obtained from several sources. I'll be using FreeRADIUS in this article (see Resources for a link), but the Cisco Secure Access Control Server (ACS) is a centralized user access control framework for user management across Cisco devices that runs on UNIX and Windows and also supports the the Cisco proprietary protocol TACACS+ (which sports more user-management features on TACACS+-enabled devices).
FreeRADIUS 是來自開放源碼社區的一種強大的 Linux 上的 RADIUS 伺服器,可用於如今的分散式和異質計算環境。FreeRADIUS 1.0.2 支援 LDAP、MySQL、PostgreSQL 和 Oracle 資料庫,並與諸如 EAP 和 Cisco LEAP 之類的網路協定相容。FreeRADIUS 目前被部署在很多大型生產網路系統中。
FreeRADIUS is a powerful RADIUS server on Linux from the open source community which can fit in today's distributed and heterogeneous computing environment. FreeRADIUS 1.0.2 supports LDAP, MySQL, PostgreSQL, and Oracle databases and is compatible with such network protocols as EAP and Cisco LEAP. FreeRADIUS is currently being deployed in many large-scale production network systems.
下面的步驟示範如何在 Red Hat Enterprise Linux Advanced Server 3.0 上安裝和測試 FreeRADIUS 1.0.2:
The following steps demonstrate how to install and test FreeRADIUS 1.0.2 on Red Hat Enterprise Linux Advanced Server 3.0:
清單 1. 安裝和測試 FreeRADIUS
Installing and testing FreeRADIUS
tar -zxvf freeradius-1.0.2.tar.gz - extract it with gunzip and tar
./configure
make
make install - run this command as root
radiusd or - start RADIUS server
radiusd -X - start RADIUS server in debug mode
radtest test test localhost 0 testing123 - test RADIUS server |
如果 radtest 收到一個回應,則表明 FreeRADIUS 伺服器工作正常。
If radtest receives a response, the FreeRADIUS server is working.
同時我還推薦另一種免費工具,那就是 NTRadPing(請參閱 參考資料 獲得相關鏈結),它可用於測試來自 Windows 用戶端的驗證和授權請求。它可以顯示從 RADIUS 伺服器發回的詳細的回應,例如屬性值。
I also recommend another free tool, NTRadPing (see Resources for a link), to test authentication and authorization requests from Windows clients. It can display detailed responses such as attributes value sent back from the RADIUS server.
現在讓我們來配置 FreeRADIUS。
Now let's configure FreeRADIUS.
配置 FreeRADIUS Configuring FreeRADIUS
RADIUS 伺服器的配置包括對伺服器、用戶端和用戶的配置(都是用於驗證和授權)。出於不同的需要,對 RADIUS 伺服器可以有不同的配置。幸運的是,大多數配置都是類似的。
Configuring the RADIUS server consists of configuring the server, the client, and the user (both for authentication and authorization). There can be different configurations of the RADIUS server for different needs; fortunately most of the configurations are similar.
配置伺服器 Configuring the server
FreeRADIUS 配置檔通常位於 /etc/raddb 資料夾下。首先,我們需要像下面這樣修改 radiusd.conf 文件。
FreeRADIUS configuration files are usually stored in the /etc/raddb folder. First we need to modify the radiusd.conf file as shown.
清單 2. 修改 radiusd.conf Modifying radiusd.conf
1) Global settings:
log_auth = yes - log authentication requests to the log file
log_auth_badpass = no - don't log passwords if request rejected
log_auth_goodpass = no - don't log passwords if request accepted
2) LDAP Settings:
modules {
ldap {
server = "bluepages.ibm.com" - the hostname or IP address of the LDAP server
port = 636 - encrypted communications
basedn = "ou=bluepages,o=ibm.com" - define the base Distinguished Names (DN),
- under the Organization (O) "ibm.com",
- in the Organization Unit (OU) "bluepages"
filter = "(mail=%u)" - specify search criteria
base_filter = "(objectclass=person)" - specify base search criteria
}
authenticate { - enable authentication against LDAP
Auth-Type LDAP {
ldap
}
|
參數被設為使用 IBM BluePages,這是 LDAP 服務的一個實例。對於其他 LDAP 伺服器,參數可能有所不同。
The parameters are set for working with IBM BluePages, an instance of an LDAP service. Parameters may be different for other LDAP servers.
配置用戶端 Configuring the client
用戶端是在 /etc/raddb/clients.conf 檔中配置的。有兩種方式可用於配置 RADIUS 用戶端。您可以按 IP subnet 將 NAS 分組(清單 3),或者可以按主機名或 IP 位址列出 NAS(清單 4)。如果按照第二種方法,可以定義 shortname 和 nastype。
Clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. You can group the NAS by IP subnet (Listing 3) or you can list the NAS by hostname or IP address (Listing 4). When you follow the second method, shortnameand nastype can be defined.
清單 3. 按 IP subnet 將 NAS 分組 Grouping the NAS by IP subnet
client 192.168.0.0/24 {
secret = mysecret1 - the "secret" should be the same as configured on NAS
shortname = mylan - the "shortname" can be used for logging
nastype = cisco - the "nastype" is used for checkrad and is optional
}
|
清單 4. 按主機名或 IP 位址列出 NAS Listing the NAS by hostname or IP address
client 192.168.0.1 {
secret = mysecret1
shortname = myserver
nastype = other
}
|
為驗證而配置用戶 Configuring the user for authentication
檔 /etc/raddb/user 包含每個用戶的驗證和配置資訊。
The file /etc/raddb/user contains authentication and configuration information for each user.
清單 5. /etc/raddb/user 文件 The /etc/raddb/user file
1) Authentication type:
Auth-Type := LDAP - authenticate against LDAP
Auth-Type := Local, User-Password == "mypasswd"
- authenticate against the
- password set in /etc/raddb/user
Auth-Type := System - authenticate against the system password file
- /etc/passwd or /etc/shadow
2) Service type:
Service-Type = Login, - for administrative login
|
為授權而配置用戶 Configuring the user for authorization
下面的驗證伺服器屬性-值對(AV)應該為用戶授權而進行配置。在驗證被接受後,這個屬性-值對被回傳給 NAS,作為對管理員登入請求的回應。
The following authentication server attribute value (AV) pair should be configured for user authorization. It is returned to the NAS for an administrator login request after authentication is accepted.
對於 Cisco 路由器,有不同的授權級別:
For a Cisco router, there are different privilege levels:
- 級別 1 是 無特權(non-privileged) 。提示符是 router>,這是用於登入的預設級別。 Level 1 is non-privileged. The prompt is router>, the default level for login.
- 級別 15 是
特權(privileged) 。 提示符是 router#,這是進入 enable 模式後的級別。 Level 15 is privileged. The prompt is router#, the level after going into enable mode. - 級別 2 到 14 在預設配置中不使用。 Levels 2 through 14 are not used in a default configuration.
下面的命令可以使一個用戶從網路存取伺服器登入,並獲得對 EXEC 命令的立即存取:
The following command causes a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair ="shell:priv-lvl=15"
下面的程序碼處理相同的任務,這一次是對於 Cisco 無線存取點:
The following code handles the same task for a Cisco wireless access point:
Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"
任何功能組合都和這個屬性一起回傳:
Any combination of capabilities is returned with this attribute:
Cisco:Avpair = "aironet:admin-capability=ident+admin"
Cisco:Avpair = "aironet:admin-capability=admin"
請與 Cisco 聯繫,以獲得關於這些命令的更多資訊。
Contact Cisco for more information on these commands.
配置網路存取伺服器 Configuring the network access server
接下來我們將配置 NAS,首先是配置一個 Cisco 路由器,然後輪到一個 Cisco WAP。
Next we'll configure the NAS, first for a Cisco router, then for a Cisco WAP.
對於 Cisco IOS 12.1 路由器,我們將啟用 AAA,然後配置驗證、授權和記費。
For the Cisco IOS 12.1 router, we'll enable AAA, then configure authentication, authorization, and accounting.
清單 6. 啟用 AAA Enabling AAA
aaa new-model
radius-server host 192.168.0.100
radius-server key mysecret1
|
AAA 在路由器上應該被啟用。然後,指定能為 NAS 提供 AAA 服務的 RADIUS 伺服器的列表。加密密鑰用於加密 NAS 和 RADIUS 伺服器之間的資料傳輸。它必須與 FreeRADIUS 上配置的一樣。
AAA should be enabled on the router. Then, a list of RADIUS servers that will provide AAA services for the NAS can be specified. The encryption key is used to encrypt the data transfer between the NAS and the RADIUS server. It must be identical with the one configured on FreeRADIUS.
清單 7. 配置驗證 Configuring authenticatio n
aaa authentication login default group radius local
line vty 0 4
login authentication default
|
在這個例子中,網路管理員使用 RADIUS 驗證。如果 RADIUS 伺服器不可用,則使用 NAS 的本地用戶資料庫密碼。
In this example, network administrators use RADIUS authentication. If a RADIUS server is not available, use the NAS's local user database password.
清單 8. 配置授權 Configuring authorization
aaa authorization exec default group radius if-authenticated
|
允許用戶在登入到 NAS 中時運行 EXEC shell。
Allow the user to run an EXEC shell when logging into the NAS.
清單 9. 配置記費 Configuring accounting
aaa accounting system default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting exec default stop-only group radius
aaa accounting commands 1 default stop-only group radius
aaa accounting commands 15 default wait-start group radius
|
必須對路由器進行特別的配置,以使之發送記費記錄到 RADIUS 伺服器。使用清單 9 中的命令記錄關於 NAS 系統事件、網路連接、輸出連接、EXEC 操作以及級別 1 和級別 15 上的命令的記費資訊。
The router must be specifically configured to send accounting records to the RADIUS server. Use the commands in Listing 9 to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at levels 1 and 15.
這樣就好了。現在讓我們看看為 Cisco 無線存取點而進行的配置。下面的配置適用於帶有 Firmware 12.01T1 的 Cisco 1200 Series AP。如圖 2 中的螢幕截圖所示,您:
That's it. Now let's look at configuring for a Cisco wireless access point. The following configuration applies to the Cisco 1200 Series AP with Firmware 12.01T1. As shown in the screen shot in Figure 2, you:
- 輸入伺服器名或 IP 位址和共用的密碼。 Input the server name or IP address and shared secret.
- 選擇「Radius」作為類型,並選取「User Authentication」。 Select type as "Radius" and check "User Authentication."
圖 2. 為 WAP 配置 NAS Configuring NAS for WAP
實際上,在這裡您還可以配置 EAP Authentication,使 FreeRADIUS 可用於驗證無線 LAN 的一般用戶。
Actually, here you can also configure EAP Authentication so FreeRADIUS can be used to authenticate general users to wireless LAN.
記費:工作中的 RADIUS Accounting: RADIUS at work
現在所有配置都已經完成,FreeRADIUS 伺服器可以開始記錄 NAS 發送的所有資訊,將該資訊儲存在 /var/log/radius/radius.log 檔中,就像這樣:
Now that all the configurations have been completed, the FreeRADIUS server can start logging all information sent by NAS, storing it in the /var/log/radius/radius.log file like so:
清單 10. /var/log/radius/radius.log 文件 The /var/log/radius/radius.log file
Thu Mar 3 21:37:32 2005 : Auth: Login OK: [David] (from client mylan port 1 cli 192.168.0.94)
Mon Mar 7 23:39:53 2005 : Auth: Login incorrect: [John] (from client mylan port 1 cli 192.168.0.94)
|
詳細的記費資訊被存放在 /var/log/radius/radacct 目錄中。清單 11 表明,David 在 2005 年 3 月 4 日 19:40 到 19:51 這段時間裡從 192.168.0.94 登入到了路由器 192.168.0.1。這麼詳細的資訊對於正在調查安全事故以及試圖維護易於審計的記錄的管理員來說無疑是一大幫助。
Detailed accounting information is stored in the /var/log/radius/radacct directory. Listing 11 shows that David logged into router 192.168.0.1 from 192.168.0.94 between 19:40 to 19:51 on March 4, 2005. This level of detailed information will definitely be a help to administrators investigating security incidents and trying to maintain easily auditable records.
清單 11. RADIUS 提供的記費細節範例 Sample of the RADIUS-supplied accounting details
Fri Mar 4 19:40:12 2005
NAS-IP-Address = 192.168.0.1
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "David"
Calling-Station-Id = "192.168.0.94"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000026"
Acct-Delay-Time = 0
Client-IP-Address = 192.168.0.1
Acct-Unique-Session-Id = "913029a52dacb116"
Timestamp = 1109936412
Fri Mar 4 19:51:17 2005
NAS-IP-Address = 192.168.0.1
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "David"
Calling-Station-Id = "192.168.0.94"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000026"
Acct-Terminate-Cause = Idle-Timeout
Acct-Session-Time = 665
Acct-Delay-Time = 0
Client-IP-Address = 192.168.0.1
Acct-Unique-Session-Id = "913029a52dacb116"
Timestamp = 1109937077
|
結論 Conclusion
透過遵循本文中列出的簡單步驟,您可以建立一個 Remote Authentication Dial-In User Service 伺服器,該伺服器使用一個外部的 LDAP 伺服器來處理為網路安全問題而進行的驗證、授權和記費。本文提供了以下內容來幫助您完成此任務:
By following the simple steps outlined in this article, you can set up a Remote Authentication Dial-In User Service server that uses an external LDAP server to handle authentication, authorization, and accounting for your network security issues. This article has provided the following to help you accomplish this task:
- 對 RADIUS 和 LDAP 伺服器以及 AAA 概念的介紹。 An introduction to the RADIUS and LDAP servers and to the AAA concept.
- 一個融入了安裝和配置任務的場景。 A scenario to put the installation and implementation into context.
- 關於安裝和配置 RADIUS 伺服器的說明。 Instructions on installing and configuring the RADIUS server.
- 關於配置網路存取伺服器的細節。Details on configuring the network access server.
-
RADIUS 將提供和管理的詳細資訊的一個範例。A sample of the detailed information that RADIUS will provide and manage.
這些指示可以快速確保受保護的資料只能由 Linux 系統上已授權的實體存取。
These instructions can make quick work of the task of making sure protected data can only be accessed by authorized entities on your Linux system.
參考資料 Resources
- 您可以參閱本文在 developerWorks 全球站點上的 英文原文 。
- Internet Engineering Task Force 的 RFC 2865 對 RADIUS 作了描述。 RFC 2866 描述了用於指定記費資訊的一個協定。 RADIUS is described by RFC 2865 of the
Internet Engineering Task Force. RFC 2866 describes a protocol for specifying accounting information.
- Configuring RADIUS 描述了 RADIUS 安全系統,定義了它的操作,並指出了適合與不適合使用 RADIUS 的網路環境。 Configuring RADIUS
describes the RADIUS security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS.
- 透過存取 OpenLDAP.org 獲得關於 OpenLDAP 的更多資訊。 Visit OpenLDAP.org for more information on OpenLDAP.
- Understanding LDAP - Design and Implementation (IBM Redbooks,2004 年 6 月)介紹了 LDAP 概念和架構以及 IBM Tivoli Directory Server。
Understanding LDAP - Design and Implementation (IBM Redbooks, June 2004) introduces LDAP concepts and architecture and the IBM Tivoli Directory Server.
- 這篇 LDAP Linux HOWTO 含有關於在 Linux 系統上安裝、配置、運行和維護 LDAP 伺服器的完整資訊。 This LDAP Linux HOWTO is chock full of information about installing, configuring, running, and maintaining a LDAP server on a Linux system.
-
Authenticating Linux users with IBM Directory Server (developerWorks,2003 年 9 月)描述了如何使用 IBM Directory Server 來驗證 Linux 用戶。 Authenticating Linux users with IBM Directory Server (developerWorks, September 2003) describes how to use the IBM Directory Server to authenticate Linux users.
- 讓 Linux 更安全,第 1 部分:介紹 (developerWorks,2004 年 7 月)展示了如何將 LDAP 伺服器用於用戶資訊和驗證。
Securing Linux, Part 1: Introduction (developerWorks, July 2004) shows you how to use an LDAP server for user information and authentication.
- 從 OpenLDAP 網站獲得最新版本的 OpenLDAP 。 Get the latest version of OpenLDAP at the OpenLDAP Web site.
- 從 FreeRADIUS 網站 獲得 FreeRADIUS。 Get
FreeRADIUS at the FreeRADIUS Web site.
- NTRadPing 讓您可以測試來自 Windows 客戶的驗證和授權請求。 NTRadPing lets you test authentication and authorization requests from a Windows client.
- 為瞭解更多關於 Cisco Secure Access Control Server (ACS) 和網路設備上的 AAA 實作的資訊,請存取 Cisco Systems 。
To learn more about Cisco Secure Access Control Server (ACS) and AAA implementation on network devices, visit Cisco Systems.
- 透過存取 IETF,瞭解更多關於 RADIUS 、 RADIUS accounting 和 LDAP 驗證方法 的資訊。 Visit IETF to learn more about RADIUS,
RADIUS accounting, and LDAP authentication methods.
- PADL Software 提供了大量 Linux/LDAP 文檔和參考資料 。 PADL Software provides a roundup of Linux/LDAP documentation and resources.
- 在 developerWorks Linux 專區 可以找到為 Linux 開發人員準備的更多有用資訊。
Find more resources for Linux developers in the developerWorks Linux zone .
- 透過參與 developerWorks blogs 加入 developerWorks 社區。 Get involved in the developerWorks community by participating in developerWorks blogs.
- 定購免費的 SEK for Linux
,這是兩張 DVD,其中包含了 IBM 在 Linux 平臺上的最新試用軟體,包括 DB2®、Lotus®、Rational®、Tivoli® 和 WebSphere®。 Innovate your next Linux development project with IBM trial software, available for download directly from developerWorks.
- 在您的下一個 Linux 開發專案中使用 IBM 試用軟體 ,它們可以從 developerWorks 的下載目錄中獲得。
- AIX RADIUS server, Part 1: Authentication and accounting protocols
(developerWorks, January 2005) discusses the authentication and accounting protocols and explains the basic RADIUS packet flow using a modem example. - Browse for books on these and other technical topics.
 |
關於作者 About the author
 |
| | Wei Zhang 是一名網路和資訊安全專家。在過去六年裡,他設計和實作了不同類型的大規模網路系統,涵蓋了很多種技術,從 SNA、VoIP、IDS、VPN 和防火牆到無線 LAN。他於 2003 年加入 IBM,擔任一名 IT 專家。目前,他的工作重點是資訊安全技術和管理。您可以透過 zhangwd@cn.ibm.com 與他聯繫。
Wei Zhang is a network and information security specialist. He designed and implemented various large-scale network systems in the past six years covering a broad range of technologies, from SNA, VoIP, IDS, VPN, and firewalls to wireless LAN. He joined in IBM as an IT specialist in 2003. Currently, his concentration is information security technology and management. You can reach him at zhangwd@cn.ibm.com .
|
備註
重要
