xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/passwd/slapd-pw-radius.5 (revision a04395531661c5e8d314125d5ae77d4cbedd5d73) 
 SLAPD-PW-RADIUS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 Copyright 2015-2021 The OpenLDAP Foundation All Rights Reserved.
 Copying restrictions apply. See COPYRIGHT/LICENSE.
 $OpenLDAP$
 NAME
slapd-pw-radius - Radius backend password module to slapd

 SYNOPSIS
ETCDIR/slapd.conf




 moduleload  pw-radius  /path/to/radius.conf 


 DESCRIPTION

The
 pw-radius module to
 slapd (8) provides support for using a RADIUS infrastructure as backend to
verify the password provided in Simple Bind operations to OpenLDAP.


It does so by providing an additional password scheme for use in slapd:




 {RADIUS} RADIUS password scheme




Unlike in other password schemes, the value following the scheme is not
a - potentially hashed - password, but the name of the corresponding
RADIUS user in the RADIUS infrastructure.


This value, together with the password used in the Simple Bind operation,
will be sent to the RADIUS server for authentication.


If the RADIUS server successfully authenticates the user,
then the password verification succeeds, resulting in the LDAP Bind
operation's success.


Conversely, failed RADIUS authentications leads to failing LDAP Binds.


 CONFIGURATION
The
 pw-radius module needs no configuration beyond the additional
 filename argument to
 slapd.conf (5)'s  moduleload directive.
This filename is expected to point to a valid
 radius.conf (5). file adhering to
 libradius (3). 

After loading the module, the password scheme
 {RADIUS} will be recognised in values of the
 userPassword attribute.


 NOTES
Owing to its construction, using the
 {RADIUS} scheme as argument to the
 password-hash option in
 slapd.conf (5) does not make much sense, because of the scheme's construction.


This also applies to the use of the
 {RADIUS} scheme in
 slappasswd or
 ldappasswd . 


 EXAMPLES
To indicate that Simple Bind operations shall use the RADIUS user
 johndoe when validating passwords against the RADIUS infrastructure,
set a user's LDAP attribute userPassword to:
.EX


userPassword: {RADIUS}johndoe



 LIMITATIONS
Due to the way the configuration is loaded (additional argument
to slapd.conf's moduleload directive), this module cannot be used
with table-driven configuration.


 SEE ALSO
 slapd.conf (5),  libradius (3)  ldap (3), 

"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)




 ACKNOWLEDGEMENTS
This manual page has been written by Peter Marschall.


 OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
 OpenLDAP is derived from University of Michigan LDAP 3.3 Release.