[Serusers] SER authentication through FreeRadius with an LDAPbackend

Greger V. Teigre greger at teigre.com
Wed Feb 15 21:29:45 CET 2006 

With LDAP you bind with a username/pw to authenticate or pull out the 
userPassword attribute and check against it. You need either clear-text pw 
or MD5 hash in order to do the digest auth method. If you have SHA1 or some 
other hash in your LDAP, you have no chance. Only chance is to migrate (or 
synchronize) user passwords over time by storing a new attribute (ex. 
userPasswordMD5) whenever you have the clear-text pw available (in your LDAP 
front-end app).
   I assume freeRADIUS can retrieve a password from sql or ldap in either 
cleartext or md5 and do digest on them. If not, you need to do some coding.
g-)

----- Original Message ----- 
From: "Jon Steer" <jsteer at bitscout.com>
To: <serusers at lists.iptel.org>
Sent: Wednesday, February 15, 2006 5:56 PM
Subject: [Serusers] SER authentication through FreeRadius with an 
LDAPbackend


> Requirement
>
> Authenticating SIP Clients through a SIP proxy via RADIUS with an LDAP 
> Backend
> using digest mode.
>
> The path is SIP client X -> Ser SIP Proxy -> FreeRadius -> Fedora
> Directory Server
>
>
> Issue
>
> Cannot authenticate a SIP client using Freeradius digest mode and LDAP.
>
> After reading through a number of the newslists of all of the projects
> being used, There is contradictory information about whether this is 
> possible.
>
> One solution described in the FreeRadius mailing list says that the it
> should be possible by setting up radiusd.conf correctly to return the
> password field from the LDAP server and then having the digest module
> decode it.
>
> Another thread in freeradius says that it isn't possible to store the 
> passwords
> the LDAP server encrypted. That the LDAP server needs to return
> cleartext passwords over a TLS connection.
>
> Several threads in the SER say that it is possible, but the examples
> given don't
> include LDAP in the equation so it is hard to tell.
>
> I have read the Radius Howto on the SER page and the LDAP howto in the
> freeradius documentation and neither of them authoritatively answer
> the question.
>
> Environment
> OS:  Fedora 4
> Radius Server : FreeRadius 1.0.4
> Radius Client : radiusclient-ng 5.2
> SIP Proxy :  SER 0.9.4
> Directory Server: Fedora Directory Server 1.0.1
> Directory Server schema: inetOrgPerson
> Directory Server password encoding: SHA
> SIP Client : Client X
>
>
>  Network setup
> ServerA hosts SER, FreeRadius
> ServerB hosts Directory Server
>
> Both servers are on the same subnet.
>
> thanks,
> jon
>
>
>
>
> --
>
> "Whereever you go, there you are"
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>

More information about the sr-users mailing list