[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Radius and ldap



> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of David Lee
> On Tue, 21 Dec 1999, Tom Helmer Jensen wrote:
> > I have made a patch to Lucent's radius-server (v2.1) so it can use ldap
> > authentication.
> >
> > I believe it's unique in that way that each user has a field 'ppp' in
> > LDAP that defines the users ppp-profile. Eg. we have profiles 'NO_PPP',
> > 'STD_PPP' and 'IPX_PP' in our setup.
> >
> > Does anyone know of any ither way to do this?
> >
> > If anyone is interested i can send the patches.
>
> Is there not scope for doing this "from the other end"?  That is, to allow
> openldap to respond to radius requests.  That way, it could work with any
> radius client, whether Open Source or commercial.
>
That would essentially mean you have merged a RADIUS server into the LDAP
server code. Certainly a feasible thing to do, but not necessarily something
that would be widely desirable. I think modifying an existing RADIUS server
to be an LDAP client is nice, because it allows you to use  any LDAP server.
There are good arguments for keeping functionality separate, so that you're
not tied to a single implementation. There are also good arguments for
tightly integrating everything, for efficiency's sake, but then you are
permanently wedded to only one implementation. (Not that I'm one to argue
against this; I only ever plan to use OpenLDAP, myself...)

> Sun's "Directory Services 3.1" LDAP (bundled with Solaris 7) takes this
> approach.  Indeed it goes a step further and also responds to NIS
> requests.  That is, viewed from the outside, it is not only an LDAP server
> but also a radius and a NIS server.  The downside?  I believe they charge
> a licensing fee above a certain number of entries in the database.
>
> For example:  our site uses openldap, tacacs and NIS:  if openldap
> supported tacacs (or radius) and NIS, we would strongly consider migrating
> everything to openldap, and it would also give us some benefit over and
> above that mentioned.
>
> Just a thought...

Well, there's no technical reason not to do it. Are you talking about NIS or
NIS+, by the way? (No burning reason behind the question; NIS is easier,
more widely used, more limited in functionality... NIS+ makes a stab at
security, is hierarchical, etc., but I haven't seen it licensed by other
vendors...) It's a matter of finding somebody motivated enough to write the
code. Most of the necessary research is easily done since the respective
free standing servers are already available as open source. (Excluding NIS+,
I guess.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc