[Serusers] SER authentication through FreeRadius with an LDAP backend

Jon Steer jsteer at bitscout.com
Wed Feb 15 17:56:56 CET 2006


Requirement

 Authenticating SIP Clients through a SIP proxy via RADIUS with an LDAP Backend
 using digest mode.

 The path is SIP client X -> Ser SIP Proxy -> FreeRadius -> Fedora
Directory Server


Issue

 Cannot authenticate a SIP client using Freeradius digest mode and LDAP.

 After reading through a number of the newslists of all of the projects
being used, There is contradictory information about whether this is possible.

One solution described in the FreeRadius mailing list says that the it
should be possible by setting up radiusd.conf correctly to return the
password field from the LDAP server and then having the digest module
decode it.

Another thread in freeradius says that it isn't possible to store the passwords
the LDAP server encrypted. That the LDAP server needs to return
cleartext passwords over a TLS connection.

Several threads in the SER say that it is possible, but the examples
given don't
include LDAP in the equation so it is hard to tell.

I have read the Radius Howto on the SER page and the LDAP howto in the
freeradius documentation and neither of them authoritatively answer
the question.

 Environment
 OS:  Fedora 4
 Radius Server : FreeRadius 1.0.4
 Radius Client : radiusclient-ng 5.2
 SIP Proxy :  SER 0.9.4
 Directory Server: Fedora Directory Server 1.0.1
 Directory Server schema: inetOrgPerson
 Directory Server password encoding: SHA
 SIP Client : Client X


  Network setup
 ServerA hosts SER, FreeRadius
 ServerB hosts Directory Server

 Both servers are on the same subnet.

thanks,
jon




--

"Whereever you go, there you are"




More information about the sr-users mailing list