Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring LDAP Authentication

 

To configure an LDAP authentication method, you must edit the ldapauth.aut configuration file, which controls the LDAP authentication sequence.

Table 54 summarizes the process of configuring an LDAP authentication method for Steel-Belted Radius Carrier. It lists the sections that you must edit in the ldapauth.aut configuration file to accomplish each step.

You must perform all steps.

You must at least consider the entries that you want to put in each section of the configuration file, even if you decide to leave most of that section blank.

Table 54: LDAP Authentication (ldapauth.aut) Configuration File Tasks

Step

LDAP Configuration Task

.aut File Sections

1

Decide how you want Steel-Belted Radius Carrier to validate RADIUS access requests. Two major areas of choice are described above: (1) Bind or BindName; and (2) Profile, Alias, or attribute list.

All sections

2

Determine which incoming RADIUS attributes are required to perform the LDAP search.

[Response]

3

Determine which LDAP attributes support are required to perform the LDAP search.

[Attribute/name]

4

Design Search template(s) that can find the necessary data in your LDAP database schema.

[Search/name]

5

Extract the data from the incoming RADIUS packet that Steel-Belted Radius Carrier will use to perform the LDAP Bind and Search requests.

[Request]

6

Select defaults that you want Steel-Belted Radius Carrier to use when corresponding values are not provided.

[Defaults]

7

Enable connections between the Steel-Belted Radius Carrier server and LDAP server(s).

[Server]

[Server/name]

[Settings]

[Failure]

8

Enable the LDAP plug-in and name the authentication method.

[Bootstrap]

The order to edit configuration file sections is the reverse of the order in which Steel-Belted Radius Carrier processes them. The processing sequence is described in LDAP Authentication Sequence.

Supporting Secure Sockets Layer

Supporting Secure Sockets Layer

To configure SSL to be supported by the LDAP plug-in:

  1. Set SSL in the [Settings] (or [Server/name]) section to 1.

  2. Set the port in the [Server] section to the SSL port of the LDAP server.

    Note

    If SSL=1, the Host parameter in [Server/name] accepts only LDAP-style URIs. For example, ldaps://hostname:port. The default port setting is ignored and the LDAP-style URIs for Host is applied.

  3. Set OpenLDAP to accept the server certificate.

    This is configured in the ldap.conf file located in the following path:

    • For Linux: /etc/openldap/ldap.conf

    • For Solaris: /usr/local/etc/openldap/ldap.conf

    TLS_REQCERT never parameter setting allows SBR Carrier to accept the server certificate and the TLS connection, which allows the LDAP traffic to be encrypted.

Note

A minimum DH key size of 1024 bits is recommended for use of SSL with LDAP.

Files

Files

The file in Table 55 establishes settings for LDAP authentication. For more information about this file, refer to the SBR Carrier Reference Guide.

Table 55: LDAP Authentication File

File Name

Function

ldapauth.aut

Specifies settings for LDAP authentication in Steel-Belted Radius Carrier. For complete details see the LDAP authentication file in the SBR Carrier Reference Guide.

LDAP Database Schema

LDAP Database Schema

The most important factor in the success of your LDAP authentication methods is the design of your LDAP database schema. This discussion assumes that you already have a schema in place.

Often, you can use the LDAP plug-in without changing the LDAP database schema at all. In Figure 191, the user record already provides an LDAP attribute called Organization. If you intend to grant connection privileges according to the organization to which each user belongs, you can create profiles in the Steel-Belted Radius Carrier database whose names match the strings you are already using for the Organization attribute. You can then create an LDAP authentication configuration file that retrieves the value of the Organization attribute from the LDAP database and returns it to Steel-Belted Radius Carrier as the name of the profile to use.

Note

If you are using BindName authentication, you need to be able to identify which LDAP attribute contains the user's password. In the schema in Figure 191, this attribute is called User-Secret.

Figure 191: Capitalizing on an Existing Schema for LDAP Authentication
Capitalizing on an Existing Schema for
LDAP Authentication

When the authentication strategy you have chosen requires data that is not currently in the schema, you might need to modify the schema.

The name of a Steel-Belted Radius Carrier profile is a typical example. Consider the example shown in Figure 191. If you want to assign connection privileges to users in some way other than by Organization, and no other LDAP attribute seems appropriate, you can add an LDAP attribute that names a profile. In Figure 192, this attribute is called RADIUS-Profile. This attribute contains a string value that can be set to the name of a profile defined in the Steel-Belted Radius Carrier database.

Figure 192: Modifying a Schema to Enhance LDAP Authentication
Modifying a Schema to Enhance LDAP Authentication

LDAP Authentication and Password Format

LDAP Authentication and Password Format

Steel-Belted Radius Carrier supports authentication of users whose records reside in an LDAP table in which password values are stored in one of the following formats: clear-text, UNIXcrypt, Secured Hash Algorithm (SHA1+Base64 hash), MD4 hash, or enc-md5 reversibly-encoded password.

Hashed Passwords

Hashed Passwords

Encoded values include a prefix that indicates how the password has been processed. The prefix is in clear-text between curly braces { } and is immediately followed by a hash value computed from the password. If no prefix is present in the value retrieved, the entire password is assumed to be in clear-text format. In summary:

  • PasswordText indicates clear-text format (no encryption)

  • {crypt} HashHash indicates UNIXcrypt format

  • {SHA} HashHashHash indicates SHA1+Base64 hash

  • {SSHA} HashHashHashSalt indicates salted SHA1+Base64 hash

  • {md4} HashHash indicates MD4 hash of the Unicode form of password

  • {enc-md5} EncryptedEncrypted indicates a reversibly encrypted password. (Although Steel-Belted Radius Carrier reads passwords encoded in this format, you must purchase the Software Developer’s Kit to convert clear-text passwords to this format.)

UNIXcrypt is the standard hash algorithm used for the /etc/passwd file on Solaris systems. This may be necessary if, for example, the standard user database on a Solaris machine (the /etc/passwd file) is migrated to a SQL database, so that the values in the Password column of the SQL table are processed with UNIXcrypt.

You can configure Steel-Belted Radius Carrier to expect that the values retrieved from a table have been run through UNIXcrypt by adding the following entry into the [Settings] section of the LDAP authentication configuration file:

Automatic Parsing

Automatic Parsing

If PasswordFormat is set to 0, Steel-Belted Radius Carrier attempts to determine the password format automatically by parsing it. This is the recommended setting. Automatic parsing expects the password to be stored in one of the formats described in this chapter.

This technique is useful if clear-text passwords are available to Steel-Belted Radius Carrier (that is, if PAP is used). If you set PasswordFormat to 0, the stored password can be returned to Steel-Belted Radius Carrier still encrypted, and the comparison with the password received from the RADIUS client can be done on the Steel-Belted Radius Carrier side.

Note

The setting for automatic password parsing in previous versions of Steel-Belted Radius Carrier (auto) has been deprecated.