5:57 p.m.
Dear All,
I have setup 2 factor authentication on a RADIUS server (OTP).The user has to authenticate
using:login: adusernamepassword: ADpasswordGENERATEDPIN
My issue is that some applications like VMWare supports only LDAP authentication.
So i was wondering how i could use RADIUS server for authentication inside LDAP.
I have found some elements like pw-radius.so, but this is clearly not fully documented.
So I was wondering if one of you has ever implemented this kind of solution and how...
Kind reagrds,
David
1:04 p.m.
On Sat, Aug 23, 2014 at 5:57 PM, David R <ajrtin(a)hotmail.com> wrote:
So I was wondering if one of you has ever implemented this kind of
solution and how...
I've implemented such a solution. My solution isn't an OpenLDAP solution;
it just has OpenLDAP as a key part of the mix in our infrastructure. For
various business reasons, I needed per-application, per-user variability of
whether to use OTP or not. Unfortunately, I can't yet publish the code.
However, our particular solution is pretty simple to implement. (And I
should probably note that we're not actually using RADIUS; we're using our
OTP server's SOAP interface, instead. However, we could use RADIUS. We
just get slightly more flexibility from the SOAP interface than is provided
by the RADIUS interface.)
I used Node.js and the ldapjs module to create a limited functionality LDAP
proxy. It's pretty simple, at a total of 131 lines of code, including
comments, whitespace, etc. It only handles searches and binds, which was
sufficient for the applications at issue. In the directory, I maintain a
group of users who are required to use OTP to authenticate. When a bind
request comes in, I check the DN against the membership of the group. If
the user must OTP, I run off to the OTP server to complete the
authentication. If not, I pass the authentication through to the OpenLDAP
server.
Obviously, the clients need to use the proxy as their directory server, in
place of the actual server.
Greg
8:36 a.m.
On Sun, 24 Aug 2014, David R wrote:
I have setup 2 factor authentication on a RADIUS server (OTP).
[...]
I have found some elements like pw-radius.so, but this is clearly not fully documented.
[...]
So I was wondering if one of you has ever implemented this kind of solution and how...
I use pw-radius.so for OTP. About the only part that you might have to
read the source/ITS for is to learn that the scheme is "RADIUS". So an
example userPassword attribute could be "{RADIUS}otpusername" or similar.
Were you able to get started (i.e. as described in
contrib/slapd-modules/passwd/README) with pw-radius.so? I realize there's
no man page, but there's also no moving parts to document, really. IMO:
1. find a suitable copy (BSD/Juniper-style IIRC) of libradius
2. get the "radtest" program that comes with libradius working
3. compile pw-radius.so against your now-working libradius
4. load same into slapd(8)
5. ldapmodify a userPassword; that should do it.
3190
days inactive
3205
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Aaron Richton -
David R -
Gregory Haverkamp