Вячеслав Булынкин

Карманный справочник

Инструменты пользователя

Инструменты сайта

Вы посетили: dfs grafana blockads
service:multiotp

Различия

Показаны различия между двумя версиями страницы.

Ссылка на это сравнение

Предыдущая версия справа и слеваПредыдущая версия
service:multiotp [24.08.2023 08:00] – [Настройка синхронизации пользователей с AD] viacheslavservice:multiotp [30.07.2024 19:21] (текущий) – внешнее изменение 127.0.0.1
Строка 1: Строка 1:
 +====== MultiOTP ======
 +https://github.com/multiOTP/multiotp
 +
 +===== Запуск =====
 +<code bash>
 +volume="/docker/multiotp"
 +mkdir $volume
 +sudo chown -R 1000:1000 $volume
 +
 +docker run --name multiotp \
 +-v $volume/data:/etc/multiotp \
 +-v $volume/freeradius/config:/etc/freeradius \
 +-v $volume/multiotp/log:/var/log/multiotp \
 +-v $volume/freeradius/log:/var/log/freeradius \
 +-p 8080:80 \
 +-p 8443:443 \
 +-p 1812:1812/udp \
 +-p 1813:1813/udp \
 +-d multiotp/multiotp-open-source
 +</code>
 +
 +===== Настройка синхронизации пользователей с AD =====
 +<code bash>
 +docker exec -it multiotp sh
 +# set alias
 +alias multiotp=/usr/local/bin/multiotp/multiotp.php
 +
 +# Decide if you want that by default, created users need to type a prefix PIN (1|0):
 +multiotp -config default-request-prefix-pin=0
 +# Decide if you want that by default, created users need to type their Active Directory password instead of PIN (1|0):
 +multiotp -config default-request-ldap-pwd=1
 +# Set the AD/LDAP server type (1=Active Directory | 2=standard LDAP):
 +multiotp -config ldap-server-type=1
 +# Set the user CN identifier (sAMAccountName, eventually userPrincipalName):
 +multiotp -config ldap-cn-identifier="sAMAccountName"
 +# Set the group CN identifier (sAMAccountName for Active Directory):
 +multiotp -config ldap-group-cn-identifier="sAMAccountName"
 +# Set the group attribute:
 +multiotp -config ldap-group-attribute="memberOf"
 +# Decide if you want to use by default an SSL connection or not (0|1):
 +multiotp -config ldap-ssl=0
 +# Set the default port (389=regular | 636=SSL connection):
 +multiotp -config ldap-port=389
 +# Set the Active Directory server(s), comma separated:
 +multiotp -config ldap-domain-controllers=dc1.example.com,dc2.example.com,dc3.example.com
 +# Set the Base DN:
 +multiotp -config ldap-base-dn="DC=example,DC=com"
 +# Set the Bind DN (which is the account used to connect to the AD/LDAP):
 +multiotp -config ldap-bind-dn="CN=sa_ldap,OU=_ServiceAccount,DC=example,DC=com"
 +# Set the password of the user used to search in the Active Directory:
 +multiotp -config ldap-server-password="BindDNAccountPassword12345"
 +# In which groups users must be in the Active Directory in order to be added:
 +multiotp -config ldap-in-group="VPN-access"
 +# Set the network timeout
 +multiotp -config ldap-network-timeout=10
 +# Set the transaction time limit
 +multiotp -config ldap-time-limit=30
 +# Activate the AD/LDAP support (0|1):
 +multiotp -config ldap-activated=1
 +# Let's go for an AD/LDAP users synchronisation ! (users removed or deactivated in the AD/LDAP are deactivated in multiOTP)
 +multiotp -debug -display-log -ldap-users-sync
 +</code>
 +<WRAP round important 60%>
 +Don't forget to schedule a script that will do the users synchronization regulary!
 +</WRAP>
 +
 +Вывод при синхронизации
 +<code>
 +LOG 2023-08-08 09:32:37 debug LDAP Debug: *AD/LDAP synchronization started at 09:32:37 / Memory used: 1.6MB / Peak: 1.6MB
 +LOG 2023-08-08 09:32:37 info LDAP Info: AD/LDAP synchronization started
 +LOG 2023-08-08 09:32:37 debug System Debug: *LDAP cache folder created (/tmp/.ldap_cache/)
 +LOG 2023-08-08 09:32:37 debug System Debug: *LDAP cache folder value: /tmp/.ldap_cache/
 +LOG 2023-08-08 09:32:40 debug System Info: *File created: /etc/multiotp/users/ivanov.db
 +LOG 2023-08-08 09:32:40 info System Info: User ivanov automatically created
 +LOG 2023-08-08 09:32:40 debug System Info: *File created: /etc/multiotp/users/petrov.db
 +LOG 2023-08-08 09:32:40 info System Info: User petrov automatically created
 +LOG 2023-08-08 09:32:40 debug System Info: *File created: /etc/multiotp/users/sidorov.db
 +LOG 2023-08-08 09:32:40 info System Info: User sidorov automatically created
 +LOG 2023-08-08 09:32:40 info LDAP Info: 3 users created, based on 3 LDAP entries (processed in 00:00:03)
 +19 *INFO: Requested operation successfully done
 +</code>
 +
 +[[https://github.com/multiOTP/multiotp#how-to-configure-multiotp-to-synchronized-the-users-from-an-active-directory-|How to configure MultiOTP to synchronized the users from an Active Directory?]]
 +
 +===== Литература =====
 +
 +[[https://habr.com/ru/articles/308988/|Go to 2FA (Двухфакторная аутентификация для ASA SSL VPN)]]\\
 +[[https://winitpro.ru/index.php/2022/01/18/2fa-v-windows-multiotp/|Настройка двухфакторной аутентификации (2FA) в Windows с помощью MultiOTP]]\\
 +[[https://goqr.me/#t=url|QR code generator]]
  
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki