Re: LDAP authentication using Radius

[Howard Chu <hyc@symas.com>]

JET JETASIK wrote:
> I am investigating 2 factor authentication in which mostly they are radius
> server actually.
> 
> My problem is that most of my applications relying on LDAP auth only.
> 
>  
> 
> I am trying to figure out on how to use
> openldap/contrib/slapd-modules/passwd/radius.c
> 
> I did compile and successfully loaded it but not sure how to configure it.
> 
>  
> 
> This is what I put into slapd.conf to load the module:
> 
> moduleload pw-radius.so config="/etc/radius.conf"
> 
>  
> 
> Firstly I couldn’t figure out what exactly is the format of /etc/radius.conf
> (Mandatory items: Radius server IP& Share Secret)

Read the radius.conf(5) manpage.

> Secondly the format of userpassword scheme, {RADIUS}XXXXYYY@ZZZ ??

Yes, {RADIUS} followed by whatever your radius server thinks is a valid username.

If by 2-factor authentication you mean some kind of challenge/response method,
that will not work. The module has no way to relay the challenge back to the
LDAP client, and the LDAP Simple Bind request doesn't support
challenge/response type authentication.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/