LDAP-Radius Server Project


Introduction

The LDAP-Radius is an AAA-Server that makes realtime queries in an LDAP directory. The primary feature is, that all essential configuration changes are made by changing, adding or deleting directory entries. Hence, after initial setup, it is not necessary any more to edit the local files on the radius host, neither manually nor by some weird scripts. The modifications of the directory entries could be done either by a native LDAP browser, or by some GUI or web frontends.

The LDAP-Radius is completely based on the Cistron Radius 1.6.4. The original source code is not changed, it's merely extended by the LDAP features, hence all functionalities of Cistron Radius are available.

Main Features

Release Information

The current release is 1.98a and is in beta state. It's running since about 1 month without any problems in an ISP environment with about 2000 logins per hour. The LDAP server currently used is an OpenLDAP 2.0.11, everything running on FreeBSD 4.3-RELEASE.

Known Bugs and Problems

Missing Features and further Improvements

Download

The current release 1.98a can be downloaded directly from here: radius-ldap-1.98a.tar.gz (168k), or you prefer a diff file, then get this: radiusd-ldap-1.98a.diff.gz (20k). It's patched against the original Cistron 1.6.4 source tree. You can download it from ftp://ftp.radius.cistron.nl/pub/radius/radiusd-cistron-1.6.4.tar.gz.

Installation

Building

As usual for the original Cistron Radius, check the 'conf.h' file, also have a look at the Makefile.
Then simply type 'make', if everything looks good, type 'make install'. By default all necessary files for the radius server are installed into '/var/radiusd'.
Now you should be able to start '/var/radiusd/sbin/radiusd'.
Be aware, that the server looks up it's primary IP, thats usual the IP corresponding to the hostname (see 'localip.c' for details). Thats necessary, becauses the IP is used as key to lookup in the directory for the proxying information for that server. Thus you can use the same directory for many radius servers.

Directory Structure

Basics

The LDAP servers used for queries are specified in the 'raddb/ldaps' file. See there for detailed information. You can specify one or more servers, for example if you have two replicated directories for redundancy and load sharing purpose. Also you can specify the number of connections for each server. An LDAP schema you might want to use (and the current configuration depends on it, if you don't modify 'conf.h') is also included. See 'radius.schema' file. It is also available for download at Sun.com (I found it there an translated it to V3, but I can't remeber the link), and is similar to the schema used by some LDAP patches for Cisctron Radius.

Structure Descritption

The directory should contain three subtrees: 'servers', 'clients' and 'users'. The 'servers'-tree contains the proxying information, the 'clients'-tree holds the IP's and secrets of the clients/NAS as the original 'clients' file does, and the 'users'-tree countains the user and realm information. The DN's for the trees are configured in the 'conf.h' file.

Visual Explanation

Look at this textfile for the structure of the directory for better understandig how it works. Have also a look at this sample LDIF file for detailed directory information, it explains everything of its capabilities.

Major Differences

There is only one difference compared to Cistron Radius. I changed the IP to look for in LDAP 'clients' subtree to the 'NAS-Ip-Address' from the UDP source address. That's useful for proxying, because the Radius behind the proxy could not determine the IP for group authorization, as it would ever see only the IP from the proxy.
The problem: Cisco uses it's primary IP for the 'NAS-Ip-Address', that's usually the first ethernet, and if it exists, it's the first loopback interface. I don't know if it works with some other vendors routers, I only have Cisco for testing.
ATTENTION: Don't be confused! The basic client check is of course done by the UDP source IP-Address as Cistron always does. There is no change in the original Cistron source code, so it is NOT a security problem (Thanks to Alan DeKok for this hint!).

Development and Contact

I'm currently working alone on this project. If you are interested, feel free to join my 'one-person-development-team' ;) to get a real stable, open source LDAP radius. Contact me under bf(at)abenteuerland(dot)at.

Mailing List

There is currently no mailing list available. If it attracts some interest, I'll open a seperate list.

Support

If you have problems or any questions regarding to LDAP Radius, feel free to contact me. If you have some troubles with the basic Cisctron Radius features, please have a look at the Cistron Homepage at http://www.radius.cistron.nl/, if you have some developers info or questions regarding Cistron Radius, please contact the Cisctron Developers List.
Last update 2001-08-29 17:55 CET, Bernhard Fiser (BH), bf(at)abenteuerland(dot)at