[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using Radius for authentication...



On 22/01/02 6:21 PM, "Stephan Siano" <stephan.siano@suse.de> wrote:

> On Tuesday, 22. January 2002 03:31, Nigel Kersten wrote:
>> Apologies if I have misunderstood the messages in the archives I've come
>> across, but most people seem to want to do things in the opposite direction
>> to what I want....
>> 
>> Basically I am on a sub-campus of a university that uses a modified Radius
>> system for the universal login/passwords for students and staff.
>> 
>> At this stage I have an LDAP directory with accounts in it that are being
>> used for authentication in various labs, but my ideal scenario would be one
>> where I can do the authentication against the Radius accounts passwords.
>> 
>> Is this something built into OpenLDAP ? Or will I have to work on patching
>> my existing command line client for the radius system into OpenLDAP?
> 
> Hi,
> 
> it really depends on what you are doing and what you want to achive. If you
> want to authenticate OpenLDAP access you could enable the (unencrypted) SASL
> PLAIN mechanism (look for sasl_secprops in slapd.conf and the SASL
> documentation) and use a RADIUS-PAM-Module for SASL-Authentication.
> 
> If you are currently using a combination of nss_ldap and pam_ldap for
> managing UNIX machines you could replace the authentication part (mainly
> pam_ldap) by a RADIUS PAM module and leave the rest as it is (the passwords
> are not in your directory but in the RADIUS) You will need a mechanism to
> keep the UIDs in sync and you may want above method to provide access to your
> directory.
> 
> Yours
> Stephan Siano


I don't think I made myself clear, or maybe I'm not understanding your first
paragraph properly. About to go read up on the things you've mentioned, but
in case I didn't explain anything properly... I'm just going to outline my
situation in a bit more detail.

I'm running OpenLDAP 2.0.21, and it is currently holding user accounts,
without using any pam modules or anything, on a Mac OS X Server box. MOSXS
can look for user info in a directory service like OpenLDAP. (this is not a
production system as yet, I'm looking for a workable solution...) The
passwords are currently stored as SSHA hashes.

I'm on a sub-campus of a uni. The main campus has a central Radius
authentication system, known as "Unipass", which every single student and
staff member has a login (their employee id) and a password. I have no
control over the Radius server, completely different dept.

My userid's on my LDAP server are all of the same form, the employee id.
Rather than storing passwords in the LDAP server at all, I would like to
authenticate against the central Radius server. This would mean I could have
a central user database, and all password generation would be handled by
someone else... All staff know their unipass as it gets used for all sorts
of services.


Does that make more sense now? Most of the messages in the archives I'd come
across were talking in the other direction it seemed, getting a Radius
server to authenticate against an LDAP directory, which isn't what I want to
do.


Thanks for any pointers.

nigel


--
N i g e l   K e r s t e n |  College of Fine Arts,
[Systems Administrator]   |  Uni.of.NSW.Sydney.Australia.
nigel@cofa.unsw.edu.au    |  ph.9385 0672:fax.9385 0624

"It's like a jungle sometimes, it makes me wonder,
how I keep from going under" - Grandmaster Flash.