1

I am running Ubuntu 12.04 and OpenLDAP 2.4.28-1.1ubuntu4.5. I have users populated in LDAP with userPassword attribute being an {SHA1} hash. Users are able to login over SSH and authenticate to web applications.

Now, I'd like to add Radius authentication (from an OTP server) to the LDAP server as an additional mechanism. This way, users could authenticate via their Radius 'One Time Password' but all the POSIX attributes would get pulled down from LDAP. Is this possible? What is the mechanism called?

Server Fault
  • 3,454
  • 7
  • 48
  • 88

1 Answers1

1

Openldap 2.4 support SASL password passtrough authentication ( http://www.openldap.org/doc/admin24/security.html ).

This feature allows to delegate the authentication process to saslauthd daemon and mantains the other attributes in openldap.

This feature requires to replace the actual userPassword value with a string "{SASL}username@realm" so you can't use SHA1 password and SASL authentication for the same user. Furthermore SASL can use PAM as backend authentication method.

PAM has a module that allow to use free radius authentication. The full chain of authentication will be:

OpenLDAP Server --> saslauthd --> pam module with radius --> Freeradius server

There are two other way to solve this problem:

  • if your web application supports PAM authentication create a pam module that use both freeradius and ldap authentication

  • If your web application supports Radius authentication configure a freeradius with a OpenLDAP as backend

SSH supports already PAM and Radius authentication(the last one using a pam module).

NoNoNo
  • 1,939
  • 14
  • 19
  • How does the `userPassword` attribute format for PAM backend? For Active Directory, the "realm" portion is the AD Domain. What would it be for PAM {SASL}user@PAM? – Server Fault Sep 15 '15 at 19:03
  • If you use PAM as SASL backend you can use "userPassword: {SASL}username" without realm – NoNoNo Sep 15 '15 at 19:49
  • That seems to use my current SASL passthrough realm (for Active Directory) if left as `{SASL}user`. Can saslauthd work both for PAM and Passthrough (for AD) ? – Server Fault Sep 15 '15 at 20:33