[RADIATOR] LDAP authentication, IBM Lotus Domino

Heikki Vatiainen hvn at archred.com
Mon Nov 8 06:03:17 CST 2010


On 11/08/2010 01:46 PM, Martin Burton wrote:
> Hi Pekka,
> 
> We normally do something along the lines of:

I'll add one more thing. We have successfully used HoldServerConnection
flag with AuthBy LDAP2, so Pekka, you may want to see if it works with
your LDAP server too. Please see section 5.36.17 in Radiator 4.7
reference manual for more.

In short, this keeps the TCP connection to LDAP server open, but not all
LDAP server work correctly if the same connection is used for multiple
searches. If it works, it should be good for performance. If it seems
not to work, just remove HoldServerConnection from the configuration.

We used it with Novell's eDirectory and LDAPS (SSL) connection with good
results. The manual has no mention for IBM, so this might be interesting
once initial evaluation has been done and further tuning is done.

> # Split the LDAP auth into its own clause since it's used in
> # many different realms
> <AuthBy LDAP2>
>         Identifier SangerLDAP
>         Host xxxxxx.sanger.ac.uk
>         BaseDN ou=xxxxx,dc=sanger,dc=ac,dc=uk
>         UsernameAttr uid
>         PasswordAttr userPassword
>         # Ask the LDAP server to attempt to bind as the user,
> 	# saves having to maintain auth credentials within this
> 	# config file.
>         ServerChecksPassword
> </AuthBy>
> 
> # Handle logins to cisco switches.
> # The switch details are held in the RADCLIENTLIST
> # MYSQL table with a default realm set in there.
> <Handler Realm=ciscos.sanger.ac.uk>
> 	# Strip realm from username
>         RewriteUsername      s/^([^@]+).*/$1/
>         AuthBy SangerLDAP
> </Handler>
> 
> ...
> 
> <Handler Realm=...>
> 	...
> 	AuthBy SangerLDAP
> 	...
> </Handler>
> 
> ...
> 
> Hope that helps.
> 
> Regards,
> 
> Martin.
> 
> 
> On 08/11/10 10:53, Pekka.Panula at sofor.fi wrote:
>> Hi
>>
>> I am new to Radiator and we currently evaluating it. I am trying to use 
>> LDAP2 auth from IBM Lotus Domino LDAP-server  (without success yet).
>>
>> I am wondering how can i strip realm from username or how to set username, 
>> i have a working freeradius conf here:
>>
>>  ldap {
>>                 server = "1.2.3.4"
>>                 port = "399"
>>                 basedn = "o=Sparknet"
>>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>                 base_filter = "(objectclass=person)"
>>         ... 
>>  }
>>
>> How is that converted to Radiator?
>>
>> Terveisin/Regards,
>>    Pekka Panula, Sofor Oy - Jatkuvat palvelut
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen, Arch Red Oy
+358 44 087 6547


More information about the radiator mailing list