Re: [Help-gnu-radius] Authenticate with LDAP

[Gerald]

On Thu, 26 Feb 2004, Greg G wrote:

> In an unrelated matter, I'm looking in to using LDAP as my source to
> authenticate users via RADIUS.  As far as I can tell, I need to use some
> sort of PAM to do it.  Is there an existing module that lets me do
> this?  I've seen that there's a pam_ldap module.

PAM is how you will need to talk to the LDAP server. Depending on your
operating system, you may have PAM already installed or easy to install
(FreeBSD/Linux) or you may need to download it and configure the whole
thing (most everything else)

> I'm not sure how to actually use that (if it's what I need) or how to
> get RADIUS to use it without having to set "Auth-Type=PAM" for all my
> users.  Hmmm.  Maybe I do, at that.  I'd have to make my default and
> authentication with Scheme, right?  Although that's clear as mud...

>From a RADIUS standpoint you just point it to PAM and PAM passes the
credentials to the LDAP server. Schema is the confusing part of any LDAP
implementation. Do you have an LDAP schema that you are having to
incorporate this in to? As a co-worker likes to point out regularly LDAP
is just a protocol, do you have some sort of database feeding LDAP or are
you using the term LDAP to refer to an openldap server (which is just one
implementation of LDAP as a protocol)

PAM can be confusing, but I'm sure there are some mailing lists related to
PAM that can get you going on getting it talking to your LDAP
implementation. If this is for a business and time is of the essence, you
might consider a commercial solution like RADIATOR that comes with built
in LDAP capability. It'll cost you though.

Gerald