LDAP-Radius Server Project
Introduction
The LDAP-Radius is an AAA-Server that makes realtime queries in an LDAP directory.
The primary feature is, that all essential configuration changes are made by
changing, adding or deleting directory entries. Hence, after initial setup, it is
not necessary any more to edit the local files on the radius host, neither manually
nor by some weird scripts. The modifications of the directory entries could be
done either by a native LDAP browser, or by some GUI or web frontends.
The LDAP-Radius is completely based on the Cistron Radius 1.6.4.
The original source code is not changed, it's merely extended by the LDAP features, hence
all functionalities of Cistron Radius are available.
Main Features
- Proxying controlled by LDAP
- Realm rewriting
- Clients IP's and secrets stored in LDAP
- Users stored in LDAP structured by realms
- Clients can be grouped by realms. You can decide that specific realms are granted access
to only some clients (NAS).
- Optional logging of accounting records and/or failed logins to syslogd for easy user suppot.
- Persistand LDAP connections and LDAP loadsharing
Release Information
The current release is 1.98a and is in beta state. It's running since about 1 month
without any problems in an ISP environment with about 2000 logins per hour. The LDAP
server currently used is an OpenLDAP 2.0.11, everything running on FreeBSD 4.3-RELEASE.
Known Bugs and Problems
- Memory leak in accounting process
- HUP signal could cause server crash
- Loss of LDAP connection causes server crash
- By occurrence of LDAP timeouts during proxying phase it blocks all pending requests for
the configured timeout period because of the sequential design of Cistrons proxy feature.
Missing Features and further Improvements
- Radius attributes are currently not possible to retrieve from directory.
- Better signal handling.
- Correct handling of LDAP TCP-sessions in case of failure.
- Cascaded realms not implemented yet.
- Use of LDAP caching for performance improvement.
- Configfile parser for the new introduced 'ldaps' file should be improved.
- Development and testing was all done only on FreeBSD, hence the only correct
Makefile is the 'Makefile.BSD'. I don't know if it runs on other systems, but it should.
Download
The current release 1.98a can be downloaded directly from here:
radius-ldap-1.98a.tar.gz (168k), or you prefer a diff file,
then get this: radiusd-ldap-1.98a.diff.gz (20k). It's
patched against the original Cistron 1.6.4 source tree. You can download it from
ftp://ftp.radius.cistron.nl/pub/radius/radiusd-cistron-1.6.4.tar.gz.
Installation
Building
As usual for the original Cistron Radius, check the 'conf.h' file, also have
a look at the Makefile.
Then simply type 'make', if everything looks good, type 'make install'. By default
all necessary files for the radius server are installed into '/var/radiusd'.
Now you should be able to start '/var/radiusd/sbin/radiusd'.
Be aware, that the server looks up it's primary IP, thats usual the IP corresponding
to the hostname (see 'localip.c' for details). Thats necessary, becauses the IP
is used as key to lookup in the directory for the proxying information for that server.
Thus you can use the same directory for many radius servers.
Directory Structure
Basics
The LDAP servers used for queries are specified in the 'raddb/ldaps' file. See there for
detailed information. You can specify one or more servers, for example if you have
two replicated directories for redundancy and load sharing purpose. Also you can
specify the number of connections for each server.
An LDAP schema you might want to use (and the current configuration depends on it, if you
don't modify 'conf.h') is also included. See 'radius.schema' file. It is also available
for download at Sun.com (I found it there an translated it to V3, but I can't remeber the link),
and is similar to the schema used by some LDAP patches for Cisctron Radius.
Structure Descritption
The directory should contain three subtrees: 'servers', 'clients' and 'users'.
The 'servers'-tree contains the proxying information, the 'clients'-tree
holds the IP's and secrets of the clients/NAS as the original 'clients' file does,
and the 'users'-tree countains the user and realm information. The DN's for the
trees are configured in the 'conf.h' file.
Visual Explanation
Look at this textfile for the structure of the directory
for better understandig how it works. Have also a look at
this sample LDIF file for detailed directory information, it explains
everything of its capabilities.
Major Differences
There is only one difference compared to Cistron Radius. I changed the IP to look for in
LDAP 'clients' subtree to the 'NAS-Ip-Address' from the UDP source address. That's useful
for proxying, because the Radius behind the proxy could not determine the IP for group authorization,
as it would ever see only the IP from the proxy.
The problem: Cisco uses it's primary IP for the 'NAS-Ip-Address', that's usually the first ethernet,
and if it exists, it's the first loopback interface. I don't know if it works with some other
vendors routers, I only have Cisco for testing.
ATTENTION: Don't be confused! The basic client check is of course done by the UDP source IP-Address as Cistron always does. There is no change in the original Cistron source code, so it is NOT a security problem (Thanks to Alan DeKok for this hint!).
Development and Contact
I'm currently working alone on this project. If you are interested, feel free to join
my 'one-person-development-team' ;) to get a real stable, open source LDAP radius.
Contact me under bf(at)abenteuerland(dot)at.
Mailing List
There is currently no mailing list available. If it attracts some interest, I'll open a
seperate list.
Support
If you have problems or any questions regarding to LDAP Radius, feel free to contact me.
If you have some troubles with the basic Cisctron Radius features, please have a look
at the Cistron Homepage at http://www.radius.cistron.nl/,
if you have some developers info or questions regarding Cistron Radius, please contact the
Cisctron Developers List.
Last update 2001-08-29 17:55 CET, Bernhard Fiser (BH), bf(at)abenteuerland(dot)at