LDAP authentication using RADIUS server

authenticationldapradius

I have a RADIUS server with a custom authentication method. I have a Mysql-Database with passwords of a Django CMS which are hashed in PBKDF2_SHA256, so I had to write a custom authentication script.
My RADIUS auth sections looks like the following:

authorize {
    update control {
         Auth-Type := `/usr/bin/php -f /usr/djangologin/cpauth.php %{User-Name} %{User-Password}`
    }
}

The script checks the password with the python passlib return true or false and so the RADIUS returns Access-Accept or Accept-Reject.

Now I have to set up an LDAP-server because one of our new software (Ulteo) does not support RADIUS authentication.

I have never worked with LDAP before. Before I try to reach the impossible, this are my main questions:

1. I did not found out, how passwords are stored exactly. How are they encrypted? I know that they are stored in /etc/shadow. Are they encrypted in MD5 or SHA256/512?
2. Is it possible to use the RADIUS as an authentication method for the LDAP-server? E.g. the User wants to authenticate against the LDAP server. The LDAP server looks for the username and pass it though the RADIUS. On success, the RADIUS returns Access-Accept and the LDAP-server confirms the successful login.
3. If 2. is not possible: Is there a way to create a custom authentication method like I created it for the RADIUS? Is there a better way to archieve my goal?

Thank you!

Best Answer

In most LDAP servers, the password is stored in the directory the server is hosting. I think it would be easiest to store the passwords in LDAP and authenticate RADIUS and everything else against LDAP. However, e.g. OpenLDAP supports SASL, so you can authenticate LDAP against something else, typically Kerberos.

Related Topic