Freeradius Auth via LDAP against Active Directory Server 2003

Jacob Jarick mem.namefix at gmail.com
Fri Apr 27 09:43:06 CEST 2007


Well I have another angle I will be attacking the problem from on the weekend.
I will be installing and configuring OpenLDAP on my linux server
making it replicate the ADS 2003 server then following the
gentoo-wiki's Freeradius and OpenLDAP implementation howto.

So the modified layout plan:

client -> cisco wap -> linux + fr -> linux + openldap -> windows 2003 ADS

At least this way I will have two LDAP implementations to test
against, which ever works 1st becomes the default solution :).

I Do understand that the novel eDirectory works very nicely (novells
LDAP implementation) but due to pricing issues it will be left until
the last option. I would like to say though Novell generally has
excellent support.

On 4/27/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> I have been at this for awhile now, so I thought I would share a
> summary of what I have figured out so far for anyone else that decides
> to try this.
>
> 1 - Documentation for this particular configuration is either out of
> date / incomplete / both. There are no howtos that will get from start
> to end (if you do know of one or wrote one yourself please share - I
> will myself when I figure it all out).
>
> 2 - Most the trouble is due to the fact we are making a linux service
> talk to a windows service (AD LDAP). Freeradius talking to the linux
> passwd file is a breeze by comprassion.
>
> 3 - Windows 2003 LDAP implementation will not provide a password when
> a user/ service preforms a ldap search, the proper way If I understand
> correctly is to supply plain text username / password then freeradius
> preforms a bind with the provided credentials against your ADS server,
> success means the password was correct.
>
> 4 - Installing "Services For Unix" on 2003 will make AD LDAP provide a
> password hash attribute among other unix LDAP attributes. The user has
> have posix enabled.
>
> 5 - Anonymous searchs can be preformed on 2003 AD LDAP if you set
> dSHeuristics to 0000002 using adsiedit.msc.
>
> 6 - Microsofts LDAP is different to Novells (big surprise) and so
> unfortunately their documentation isnt to helpfull as a reference for
> people trying to use ADS in the same fashion.
>



More information about the Freeradius-Users mailing list