3.43. <AuthBy LDAP2> Previous topic Parent topic Child topic Next topic

<AuthBy LDAP2> module authenticates by issuing requests to an LDAP server. When the LDAP server replies, Radiator fetches a number of attributes and looks in them for the password, check items and reply items in order to authenticate the user. It does not log (but does reply to) accounting requests. You need to have a basic understanding of LDAP servers and databases in order to configure <AuthBy LDAP2>.
When an <AuthBy LDAP2> module receives its first authentication request, it attempts to connect to the LDAP server specified by Host. Optionally you can authenticate Radiator as a valid user of the LDAP server by specifying AuthDN and AuthPassword. (This is not the same thing as authenticating a user. It happens before authenticating a user, and proves that this radiusd is allowed to talk to the LDAP database).
The <AuthBy LDAP2> module tries then to fetch some attributes for the user. Specify the base DN to start looking in, and the attribute name with which to filter. Also specify the attributes that contain the password, and (optionally) the names of the attributes containing an encrypted password, RADIUS check items and RADIUS reply items. This scheme allows you to work with almost any LDAP schema. All you have to do is identify the right LDAP attribute names.
If all the check items are satisfied by the attributes in the request, the <AuthBy LDAP2> module replies with an Access-Accept message containing all the attributes in the reply items attribute (if any). If the user does not appear in the LDAP database, or if any check attribute does not match, an Access-Reject message is sent to the client.
At present, <AuthBy LDAP2> modules do synchronous connections and searches. This can mean significant delays if your LDAP server is reached by a slow network connection, or your LDAP server is slow. In this case, consider putting the <AuthBy LDAP2> realm in a sub-server, and having your main Radiator forward requests for that realm to the RADIUS sub-server.
This clause supports all the common LDAP configuration parameters. For more information about the LDAP configuration parameters, see Section 3.7. LDAP configuration.
<AuthBy LDAP2> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.26. <AuthBy xxxxxx>.