ldap
The ldap backend allows Radiator to authenticate and authorize users against an LDAP directory.
Example configuration of an LDAP backend:
ldap "ldap.forumsys.com" {
# LDAP server
server "ldap.forumsys.com" {
# LDAP URL
url "ldap://ldap.forumsys.com:389/";
# Operation timeout (supports duration units like 3s, 5m, 1h)
timeout 3s;
# (Optional) Server authentication
authentication {
# Simple bind authentication
dn "cn=read-only-admin,dc=example,dc=com";
password "password";
# or from environment variables
# dn ENV.LDAP_BIND_DN;
# password ENV.LDAP_BIND_PW;
}
# How many sockets/connections at maximum to open for shared
# server-authentication. Default 10.
shared-connections 10;
# How many sockets/connections at maximum to open for exclusive
# per-operation authentication. Default 10.
exclusive-connections 10;
# Automatically close the connections after this idle time. If not
# defined the connections are kept open indefinitely.
# idle-timeout 60s;
# (Optional) TLS client configuration
#tls {...}
}
# A single backend can have multiple LDAP servers configured
#server "ldap2" {
# ...
#}
# LDAP operations
# LDAP search operation named "user_groups"
search "USER_GROUPS" {
base "dc=example,dc=com";
scope sub;
filter "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=%{aaa.identity},dc=example,dc=com))";
# (Optional) per-operation authentication. If not defined the
# server-level authentication is used
authentication {
dn "cn=mikem,dc=example,dc=com";
password "password";
}
# Mapping of LDAP attributes to Radiator variables/attributes
mapping {
# The entry DN
vars.dn = entry::dn;
# Attributes
user.username = uid;
user.group += ou;
}
}
# Dynamic user bind test. This will reject if the bind fails.
bind "USER_BIND" {
dn vars.user_dn;
password vars.user_password;
}
}
Server Selection and Priority
When multiple LDAP servers are configured, they can be prioritized using the optional priority parameter (integer 0-255, where lower numbers indicate higher priority, default is 0). Servers are tried according to the configured server-selection algorithm (default is fallback).
When servers have the same priority value, they are tried in alphabetical order by their server names.
backends {
ldap "LDAP_HA" {
server-selection fallback;
server "LDAP_PRIMARY" {
priority 0; # Highest priority, tried first
url "ldap://ldap1.example.com:389/";
# ...
}
server "LDAP_SECONDARY" {
priority 1; # Lower priority, tried if primary fails
url "ldap://ldap2.example.com:389/";
# ...
}
}
}
For detailed information about server selection algorithms and load balancing patterns, see Backend Load Balancing.
Authentication with dynamic LDAP bind
Sometimes it is not possible to retrieve the user password from the LDAP directory. In such cases, Radiator can perform a dynamic bind operation to test the user credentials.
Create the following LDAP backend:
backends {
ldap "LDAP" {
server "LDAP_SERVER" {
url "ldap://host:1389/";
authentication {
dn "cn=admin,dc=example,dc=org";
password "adminpassword";
}
}
search "FIND_USER" {
base "dc=example,dc=org";
scope sub;
filter "(&(cn=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
# Store the user dn to be used in the later bind operation
vars.user_dn = entry::dn;
}
}
bind "BIND_USER" {
dn vars.user_dn;
password radius.request.password;
}
}
}
And authenticate the user with the following policy configuration:
aaa {
policy "DEFAULT" {
handler "AUTHENTICATION" {
authentication {
backend {
name "LDAP";
query "FIND_USER";
}
backend {
name "LDAP";
query "BIND_USER";
}
}
}
}
}
This policy will reject the authentication request if the user cannot be found or if the bind operation fails with the provided password.