Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Radius/LDAP Authentication

  1. #1
    Join Date
    Nov 2005
    Location
    London, ON
    Posts
    255
    Rep Power
    9

    Default Radius/LDAP Authentication

    I'm looking at using Zimbra's LDAP server as the backend for a FreeRadius server. Now I'm slowly trying to wrap my head around LDAP.

    What I would like to do, if this is even possible is add an attribute to certain users (objectClass: radUser). Then when someone authenticates against Radius it will do an LDAP lookup and if the aforementioned attribute does not exist then no loging, if it does then authenticate the username and password. I would relly appreciate some insight into this. I tried to use ldapmodify to add the objectClass attribute but it failed, not sure as to why.

    Code:
    [zimbra@j ~]$ ldapmodify -D uid=zimbra,cn=admins,cn=zimbra -W
    Enter LDAP Password:
    dn: uid=rsharpe,ou=people,dc=mydomain,dc=ca
    changetype: modify
    add: objectClass
    objectClass: radUser
    modifying entry "uid=rsharpe,ou=people,dc=mydomain,dc=ca"
    ldap_modify: Referral (10)
            referrals:
                    ldap://t.mydomain.ca:389/uid=rsharpe,ou=people,dc=mydomain,dc=ca
    I really appreciate the help, I'm such an LDAP newb

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Lightbulb

    Check the wiki. Search on LDAP, you'll gets lots of docs and examples.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Oct 2005
    Posts
    38
    Rep Power
    10

    Question

    Just wondering if you could set your freeradius server to check on zimbra LDAP, I'm looking for the same solution.

  4. #4
    Join Date
    Mar 2007
    Posts
    24
    Rep Power
    8

    Default

    Did anyone ever figure this out ? I am trying to do the same thing.

  5. #5
    Join Date
    Jun 2007
    Posts
    14
    Rep Power
    8

    Default

    Quote Originally Posted by rsharpe View Post
    What I would like to do, if this is even possible is add an attribute to certain users (objectClass: radUser). Then when someone authenticates against Radius it will do an LDAP lookup and if the aforementioned attribute does not exist then no loging, if it does then authenticate the username and password. I would relly appreciate some insight into this. I tried to use ldapmodify to add the objectClass attribute but it failed, not sure as to why.
    my buest guess is that the zimbra ldap server doesn't have this objectclass defined.

    try the following:

    try to add the objectclass "authorizedServiceObject" (quite common) and then the attribute "authorizedService: radUser" - that will later on save you trouble as you can add authorized services as needed on a per user basis (e.g. we use jabber, submission, zimbra, mail, etc.)

    hth

  6. #6
    Join Date
    Mar 2007
    Posts
    12
    Rep Power
    8

    Default RADIUS and Zimbra

    Hi Folks.

    I have read the submissions to this thread and have a little contribution to make.
    I wanted to host a mail server specifically for Mobile Devices with Zimbra OS being the web client for "offline Mobile" usage.

    We offered a free 14-day trial where users could sign up for a new account and try the service out before paying us for an annual subscription.

    The ideas was to monitor the login and prevent anyone whose account had expired (either trial or full subscription).
    I preferred to use FreeRadius for Authentication as I had worked quite a bit with it and CommuniGate Pro.

    The solution was to use RADIUS and Zimbra's built-in MySQL for storing login data and the LDAP Module for the actual authentication. We designed our own COSs for various types of Subscribers (trial, mobile, management and complementary).

    No passwords were replicated as all were stored in LDAP but we did have a suite of scripts whose job it was to ensure no one used the service outside the constraints placed on them.

    If you are interested, I can submit the scripts (in the spirit of Open Source).

    Alas, we later found that if you had the Network Edition running (as we wanted to use the Zimbra Mobile features), any account created by a potential subscriber and later deleted by the scripts after a certain period of inactivity after account expiry, one could not re-use the spare account.

    That in essence meant that if you had a 60-day trial for 50 accounts and you had 50 people sign up within that period (and the accounts were later redundant), they couldnt be reused as Zimbra's LDAP locks the counter and doesn't count down once the account has been deleted via zmprov da command.

    Alas, that eventually made us look elsewhere for a solution.

    Any ideas guys?

    LinuxProphet (Amateurs designed the Ark, Professionals designed Titanic...)

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by LinuxProphet View Post
    Alas, we later found that if you had the Network Edition running (as we wanted to use the Zimbra Mobile features), any account created by a potential subscriber and later deleted by the scripts after a certain period of inactivity after account expiry, one could not re-use the spare account.

    That in essence meant that if you had a 60-day trial for 50 accounts and you had 50 people sign up within that period (and the accounts were later redundant), they couldnt be reused as Zimbra's LDAP locks the counter and doesn't count down once the account has been deleted via zmprov da command.
    Did you raise a support case for this or contact your sales person about this 'problem'?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Mar 2007
    Posts
    12
    Rep Power
    8

    Default RADIUS and Zimbra

    I did Phoenix, and I got a "duh" response.

    Could you, from a technical point of view possibly explain why that is and if the issue has been addressed?

    I am here because I want to use Zimbra on both our Network Appliances and our hosted service.

    But only if I can delete accounts without having to lose an account in the process.

    LinuxProphet

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    I'm afraid I don't have an answer for that, I would have assumed that if you deleted accounts they would be 'reusable'. Could you send me the details of your support case number and your company details in a PM and I'll see what I can dig up on Monday.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Mar 2007
    Posts
    12
    Rep Power
    8

    Default RADIUS and Zimbra

    Will do.

    Get back to you. Thanks

Similar Threads

  1. Does Zimbra support IMAP Secure Authentication?
    By zzzzsg in forum Administrators
    Replies: 6
    Last Post: 11-06-2009, 06:19 PM
  2. External Authentication with Active Directory via LDAPS
    By merrill in forum Administrators
    Replies: 1
    Last Post: 10-21-2007, 01:13 PM
  3. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 02:17 PM
  4. Remote calendar that requires basic authentication
    By Flyen in forum Administrators
    Replies: 5
    Last Post: 04-04-2006, 11:49 AM
  5. SMTP SASL authentication failure
    By igeorg in forum Developers
    Replies: 5
    Last Post: 10-10-2005, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •