1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
.TH SLAPD-PW-RADIUS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2015-2024 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapd-pw-radius \- Radius backend password module to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.RS
.LP
.B moduleload
.B pw-radius
.I /path/to/radius.conf
.RE
.SH DESCRIPTION
.LP
The
.B pw-radius
module to
.BR slapd (8)
provides support for using a RADIUS infrastructure as backend to
verify the password provided in Simple Bind operations to OpenLDAP.
.LP
It does so by providing an additional password scheme for use in slapd:
.RS
.TP
.B {RADIUS}
RADIUS password scheme
.RE
.LP
Unlike in other password schemes, the value following the scheme is not
a - potentially hashed - password, but the name of the corresponding
RADIUS user in the RADIUS infrastructure.
.LP
This value, together with the password used in the Simple Bind operation,
will be sent to the RADIUS server for authentication.
.LP
If the RADIUS server successfully authenticates the user,
then the password verification succeeds, resulting in the LDAP Bind
operation's success.
.LP
Conversely, failed RADIUS authentications leads to failing LDAP Binds.
.SH CONFIGURATION
The
.B pw-radius
module needs no configuration beyond the additional
.I filename
argument to
.BR slapd.conf (5)'s
.B moduleload
directive.
This filename is expected to point to a valid
.BR radius.conf (5).
file adhering to
.BR libradius (3).
.LP
After loading the module, the password scheme
.B {RADIUS}
will be recognised in values of the
.I userPassword
attribute.
.SH NOTES
Owing to its construction, using the
.B {RADIUS}
scheme as argument to the
.BR password-hash
option in
.BR slapd.conf (5)
does not make much sense, because of the scheme's construction.
.LP
This also applies to the use of the
.B {RADIUS}
scheme in
.B slappasswd
or
.BR ldappasswd .
.SH EXAMPLES
To indicate that Simple Bind operations shall use the RADIUS user
.B johndoe
when validating passwords against the RADIUS infrastructure,
set a user's LDAP attribute userPassword to:
.EX
.LP
userPassword: {RADIUS}johndoe
.EE
.SH LIMITATIONS
Due to the way the configuration is loaded (additional argument
to slapd.conf's moduleload directive), this module cannot be used
with table-driven configuration.
.SH SEE ALSO
.BR slapd.conf (5),
.BR libradius (3)
.BR ldap (3),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP
.SH ACKNOWLEDGEMENTS
This manual page has been written by Peter Marschall.
.LP
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.
|