Re: radius server supporting LDAP
On Mon, Jan 08, 2001 at 06:50:16PM +1100, Jeremy Lunn wrote:
> I am just wondering if anyone knows of any radius servers that support
> LDAP for configuration. Cistron Radius sounds good, but it can only
> use LDAP for authentication, not for other configuration options such
> as static IP addresses.
>
> Can anyone advise my of a radius server that supports all configuring
> for users to be done using LDAP?
you could check whether the beta freeradius (successor to cistron
radiusd) supports it. http://www.freeradius.org/
alternatively, you could use cistron's Exec-Program-Wait feature. it
allows you to run an external script for authentication and to add
extra A/V pairs. see /usr/share/doc/radiusd-cistron/README.gz in the
cistron-radiusd package.
an excerpt:
Exec-Program string program to execute after authentication
Exec-Program-Wait string ditto, but wait for program to finish
before sending back auth. reply
Exec-Program can take arguments. You can use macros in the arguments:
Taken from the original request:
%p Port number
%n NAS IP address
%u User name
%a Protocol (SLIP/PPP)
%s Speed (connect string - eg "28800/V42.BIS")
%i Calling Station ID
Taken from the reply as defined thusfar:
%f Framed IP address
%c Callback-Number
%t MTU
For example, use the following entry for someone who has BSMTP (queued
SMTP) service. "brunq" is the program that runs the SMTP queue.
robert Service-Type = Framed-User
Exec-Program = "/usr/local/sbin/brunq -h %f delta",
Fall-Through = 1
The output from Exec-Program-Wait is parsed by the radius server. If
it looks like Attribute/Value pairs, they are decoded and added to the
reply sent to the NAS. This way, you can for example set Session-Timeout.
For backwards compatibility, if the output doesn't look like valid
radius A/V pairs, the output is taken as a message and added to the
reply sent to the NAS as Port-Message.
If Exec-Program-Wait returns a non-zero exit status, access will be
denied to the user. With a zero-exit status, access is granted.
craig
--
craig sanders
Reply to: