LDAP Frontend with Support for RADIUS Schema

Alan DeKok aland at deployingradius.com
Tue Nov 9 23:39:46 CET 2010


Holger Rauch wrote:
> thanks a lot for your reply. But apart for a suggestion for the LDAP
> frontend, I was also looking for a documentation on how FreeRADIUS can
> be used in conjunction with OpenLDAP for authenticating VPN users.

  LDAP stores usernames and passwords.  FreeRADIUS looks up usernames in
LDAP, obtains the "known good" password, and authenticates the user.

  The server comes with detailed examples, and documented configuration
files.  See raddb/modules/ldap.

> Furthermore, the comments on the precise meaning of the RADIUS related
> LDAP attributes in the corresponding LDAP schema is rather terse.

  Yes.  They map data in LDAP to RADIUS attributes.  The meaning of the
RADIUS attributes is defined in the RFCs.

> Is
> there any documentation covering the meaning of those attributes in
> greater detail, especially in the context of authenticating VPN users
> via a combination of means I mentioned in previous mail?

  Nearly all of those attributes are *authorization* related.  i.e. VLAN
assignment, etc.  As a result, they have very little to do with
*authentication*.

  In your case, configure FreeRADIUS to use LDAP, and the VPN users will
be authenticated.  If you need specific authorization attributes, see
the VPN documentation for what is needed, and then configure FreeRADIUS
to return those.  (Or put them into LDAP, and FreeRADIUS will
automatically return them.)

  Alan DeKok.



More information about the Freeradius-Users mailing list