Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

LDAP Authentication Overview

Steel-Belted Radius Carrier can authenticate against records stored in an external LDAP database. Any RADIUS attribute, such as username and password, can be used to query the database.

External database authentication is typically used when an organization has a large amount of user information stored in an LDAP database, and wants to authenticate these users using RADIUS. Authentication against an existing LDAP database extends authentication services to user accounts without requiring an administrator to enter user information into the Steel-Belted Radius Carrier database.

Steel-Belted Radius Carrier offers LDAP authentication as a plug-in software module. Key features of the LDAP plug-in include the following:

  • Support for LDAP Version 3.
  • Linux SBR Carrier (starting from Release 7.4.0) and Solaris SBR Carrier (starting from Release 7.5.0) use OpenLDAP libraries to process LDAP requests.
  • In case of SSL, for SBR Carrier to process LDAP requests, you have to configure OpenLDAP to accept the server certificate.
  • You can authenticate via LDAP Bind or via a password returned from an LDAP Search request (BindName).
  • A single Search request or a sequence of Search requests can be specified.
  • Bind, Base, and Search strings can include variables.
  • New Bind parameters can be specified during a sequence of searches.
  • Other authentication credentials can be specified in a string that can include variable values.
  • Variables may be set from the RADIUS request packet and from LDAP Search results.
  • Variables may be used to specify RADIUS response attributes and other response information.
  • The RADIUS response can include RADIUS attributes found in the LDAP database, or it can reference a Steel-Belted Radius Carrier profile or user entry.
  • Several features similar to SQL authentication are supported, such as round-robin load balancing and activation targets.
  • Decorated usernames can be parsed into two variables within the variable table. For example, simon@xyz.com would be parsed into simon and xyz.com for use later in the authentication process.
  • The variable table allows both attributes and %Profile in the [Response] section.
  • Conditional search logic is supported by branching using the OnFound and OnNotFound fields.

LDAP Variable Table

The LDAP Variable Table lets you translate a RADIUS request into an LDAP lookup. At the beginning of each LDAP authentication request, Steel-Belted Radius Carrier creates a Variable Table. Attributes and other information from the RADIUS request are entered in the Variable Table for use in LDAP Bind, Base, and Search strings. When attributes are returned by LDAP requests, they too are entered in the Variable Table. Finally, selected information from the Variable Table is returned to the RADIUS client in the RADIUS response packet. See Figure 190.

Figure 190: Role of the Variable Table in LDAP Authentication

Role of the Variable Table in LDAP Authentication

Types of LDAP Authentication

To design an LDAP authentication method, consider how you want to validate the username and password.

The LDAP plug-in offers two techniques for validating the username and password. Each configuration file that you write to control LDAP authentication must employ Bind or BindName. The differences between the two techniques have to do with how Steel-Belted Radius Carrier connects to the LDAP server and whether the username/password validation is performed by the LDAP server or by Steel-Belted Radius Carrier.

BindName Authentication

When you use BindName authentication, your LDAP configuration file provides Steel-Belted Radius Carrier with the username and password of an account on the LDAP server. This must be an account that has privileges to access all of the information that you require to authenticate users. In the LDAP configuration file, you provide the username in the BindName parameter, and the password in the BindPassword parameter.

After you complete the LDAP configuration file, each time Steel-Belted Radius Carrier starts up, it executes a Bind request to the LDAP server using the BindName and BindPassword parameters as its credentials. If the LDAP server can validate these credentials, a connection is established between the two servers. This connection remains up all the time. It is disconnected only if the Steel-Belted Radius Carrier server or the LDAP server goes down, and it is re-established as soon as possible after the down server comes back up. The LDAP configuration file offers a number of connection and re-connection timeouts and other parameters that regulate this relationship.

Any time authentication via LDAP is required, Steel-Belted Radius Carrier consults the corresponding LDAP configuration file. When you use BindName authentication, this file must contain a Search command that maps the username from the Access-Request to a password attribute in the LDAP database. The Search may retrieve other LDAP attributes as well. When the Search returns its results, Steel-Belted Radius Carrier compares the value of the password returned from the LDAP database with the password from the incoming Access-Request. If the two values are the same, the password is considered validated.

When the connection to the LDAP server is established using BindName, multiple authentications can be performed at the same time over the same connection. This done using the MaxConcurrent setting in the [Settings] section of the ldapauth.aut file.

Bind Authentication

When you use Bind authentication, Steel-Belted Radius Carrier authenticates connection requests by attempting to Bind to the LDAP server using the username and password from the incoming Access-Request or from a configured username and password. If this Bind request succeeds, the password is validated. This is essentially pass-through authentication; Steel-Belted Radius Carrier presents an LDAP user’s credentials to the LDAP server and asks to have them validated.

In the simplest case, a single connection is established for each Access-Request and is kept open only long enough for the LDAP server to validate the password and respond to any Search requests. Then Steel-Belted Radius Carrier closes the connection and completes any processing that remains to generate an Access-Response.

A more sophisticated search technique can take advantage of flexible Bind, which allows you to allocate a sequence of connections for each Access-Request. Each in turn is kept open only long enough for the server to process each search criterion. Then Steel-Belted Radius Carrier closes the connection and completes any processing that remains to generate an Access-Response.

Attributes and LDAP Authentication

A username and password may be all the information that you require to authenticate users. However, the LDAP plug-in offers a number of techniques for working with check list or return list attributes, should you need them.

Modified: 2017-09-27