chain two authentication modules together

Alexander Clouter alex at digriz.org.uk
Fri Jun 17 21:28:44 CEST 2011


madmatrix <hailumeng at gmail.com> wrote:
> 
> What I'm wanting to do is integrate LDAP and OTP. The OTP I want to 
> use doesn't have interface to radius. So I'm planning to get that OTP 
> source code into a new FR module. For LDAP part, I just want to 
> include the existing module to the new one. Is this doable? I guess I 
> may need implant the LDAP module code into the new module too.
>
I *strongly* recommend you use rlm_perl/rlm_python.  I found it very 
straight forward to quickly implement rfc2289 with eap-gtc.

> The whole authentication process is: 1. LDAP authentication. 2. If
> successful, do something and request 2nd OTP authencation. If not, reject
> the authentication.
>
I think you might find yourself having to either:
 * combined password of form "<ldap password> <otp challenge response>"
 * two separate RADIUS authentications, say use PAM to first do a 
	regular RADIUS password check and also require a second check to 
	another RADIUS server (a FreeRADIUS virtual server for example) 
	that then does the OTP

As you have not described what the problem is (EAP for 802.1X, web 
portal, PAM backed authentication, etc?) it is hard to give you advice.

> From what I read here, the new module must be the way to do this. But 
> is there any easy way to integrate existing module like LDAP into the 
> new module?
> 
If you use rlm_perl/rlm_python, you will find the job much easier, fast 
on the prototyping front and maintenance will be a lot less trouble (ie, 
no need to recompile things as an example).

Cheers

-- 
Alexander Clouter
.sigmonster says: Don't feed the bats tonight.




More information about the Freeradius-Users mailing list