I am running Ubuntu 12.04 and OpenLDAP 2.4.28-1.1ubuntu4.5. I have users populated in LDAP with userPassword attribute being an {SHA1} hash. Users are able to login over SSH and authenticate to web applications.
Now, I'd like to add Radius authentication (from an OTP server) to the LDAP server as an additional mechanism. This way, users could authenticate via their Radius 'One Time Password' but all the POSIX attributes would get pulled down from LDAP. Is this possible? What is the mechanism called?
Best Answer
Openldap 2.4 support SASL password passtrough authentication ( http://www.openldap.org/doc/admin24/security.html ).
This feature allows to delegate the authentication process to saslauthd daemon and mantains the other attributes in openldap.
This feature requires to replace the actual userPassword value with a string "{SASL}username@realm" so you can't use SHA1 password and SASL authentication for the same user. Furthermore SASL can use PAM as backend authentication method.
PAM has a module that allow to use free radius authentication. The full chain of authentication will be:
OpenLDAP Server --> saslauthd --> pam module with radius --> Freeradius server
There are two other way to solve this problem:
if your web application supports PAM authentication create a pam module that use both freeradius and ldap authentication
If your web application supports Radius authentication configure a freeradius with a OpenLDAP as backend
SSH supports already PAM and Radius authentication(the last one using a pam module).