openLDAP, freeRadius and firewall integration

Alan DeKok aland at
Wed May 31 19:07:18 CEST 2017

On May 31, 2017, at 6:56 AM, M. selcuk karaca <selcuk.karaca at> wrote:
> We have an openLDAP server. And we want to integrate  LDAP users to our firewall. Our ultimate aim for integration is to apply FW policies according to users. curently we are applying policies according to IP addresses.

  That's largely how firewalls work... applying rules by users is a bit more difficult.

> Because openLDAP server does not provide us with accounting information sent to the FW, we have employed a freeRadius server.

  FreeRADIUS doesn't generate accounting records.  It receives accounting records from a NAS or firewall.

> But we could not trigger freeRadius accounting packages by authenticating our users with openLDAP server.

  Because OpenLDAP doesn't generate accounting packets.

> SO we have used libpam-radius-auth package and directly authenticated users from freeRadius.

  Which does some accounting...

> I want to ask whether this way is a logical one. does this have any negative effects, not recommended etc..
> what should be the correct architecture for authenticating our users from openLDAP and provide Firewall integration for user based policies..?

  I'm not even sure what you want to do.

  Your question into clear that you understand how firewalls work, how LDAP works, and how RADIUS works.

  Alan DeKok.

More information about the Freeradius-Users mailing list