ldap
The ldap backend allows Radiator to authenticate and authorize users against an LDAP directory.
Example configuration of an LDAP backend:
ldap "ldap.forumsys.com" {
# LDAP server
server "ldap.forumsys.com" {
# LDAP URL
url "ldap://ldap.forumsys.com:389/";
# Operation timeout (supports duration units like 3s, 5m, 1h)
timeout 3s;
# (Optional) Server authentication
authentication {
# Simple bind authentication
dn "cn=read-only-admin,dc=example,dc=com";
password "password";
# or from environment variables
# dn ENV.LDAP_BIND_DN;
# password ENV.LDAP_BIND_PW;
}
# How many sockets/connections at maximum to open for shared
# server-authentication. Default 10.
shared-connections 10;
# How many sockets/connections at maximum to open for exclusive
# per-operation authentication. Default 10.
exclusive-connections 10;
# Automatically close the connections after this idle time. If not
# defined the connections are kept open indefinitely.
# idle-timeout 60s;
# (Optional) TLS client configuration
#tls {...}
}
# A single backend can have multiple LDAP servers configured
#server "ldap2" {
# ...
#}
# LDAP operations
# LDAP search operation named "user_groups"
search "USER_GROUPS" {
base "dc=example,dc=com";
scope sub;
filter "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=%{aaa.identity},dc=example,dc=com))";
# (Optional) per-operation authentication. If not defined the
# server-level authentication is used
authentication {
dn "cn=mikem,dc=example,dc=com";
password "password";
}
# Mapping of LDAP attributes to Radiator variables/attributes
mapping {
# The entry DN
vars.dn = entry::dn;
# Attributes
user.username = uid;
user.group += ou;
}
}
# Dynamic user bind test. This will reject if the bind fails.
bind "USER_BIND" {
dn vars.user_dn;
password vars.user_password;
}
}
Authentication with dynamic LDAP bind
Sometimes it is not possible to retrieve the user password from the LDAP directory. In such cases, Radiator can perform a dynamic bind operation to test the user credentials.
Create the following LDAP backend:
backends {
ldap "LDAP" {
server "LDAP_SERVER" {
url "ldap://host:1389/";
authentication {
dn "cn=admin,dc=example,dc=org";
password "adminpassword";
}
}
search "FIND_USER" {
base "dc=example,dc=org";
scope sub;
filter "(&(cn=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
# Store the user dn to be used in the later bind operation
vars.user_dn = entry::dn;
}
}
bind "BIND_USER" {
dn vars.user_dn;
password radius.request.password;
}
}
}
And authenticate the user with the following policy configuration:
aaa {
policy "DEFAULT" {
handler "AUTHENTICATION" {
authentication {
backend {
name "LDAP";
query "FIND_USER";
}
backend {
name "LDAP";
query "BIND_USER";
}
}
}
}
}
This policy will reject the authentication request if the user cannot be found or if the bind operation fails with the provided password.