Multiple (different) LDAP servers and authorisation

Stewart James Stewart.James at vu.edu.au
Wed Aug 15 05:48:51 CEST 2007 

Hi Alan,

Thanks for offering some help, no need to point out that in reality AD != True LDAP. Well and truly aware of it.

Lets step through what we need.

At the moment we have a large number of people that get their authentication/authorisation through the Radius server (VPN Service). There will be a period (over the next few months) where some people will have an account in AD and Novell, some will have just an account in Novell and some will have an account in AD.

What we want to be able to do is allow users to continue using their systems without changing anything in their configuration and for the Radius server to see if they are a authorised user with valid credentials on the AD LDAP interface and if they are not in that, check the Novell LDAP Interface.

I can:
* Have the system perform authentication on the user to the AD system and if the user is notfound, it will then check for the user on the Novell system - providing I do not specify and LDAP-Group requirement in the Users file e.g. Just authentication not authorisation.
* Have the system perform authentication and authorisation on a given user providing I only configure one of the Directory Services (e.g. only list the AD server for both authentication and authorisation)

SO it is only in the authorisation area I am having problems.

Does that make more sense?

Cheers,

Stewart

-----Original Message-----
From: freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, 15 August 2007 12:16 PM
To: FreeRadius users mailing list
Subject: Re: Multiple (different) LDAP servers and authorisation

Stewart James wrote:
> I have been roped in to look over an issue we have with migrating from
> Novell to AD.

  Repeat after me: AD is not an LDAP server.

  It's not.  It fakes it pretty well, but it's not.

> As I stated earlier authentication fall through works like a treat (if
> in the users file I don’t specify an LDAP-Group authentication works).
> If I only specify 1 ldap server to do authentication and authorisation,
> everything works, its only when I try to do authorisation via LDAP-Group
> AND try to do authorisation fall through as documentation above do I
> start getting errors.

  If you are trying to use LDAP to obtain the "known good" password from
AD, it's impossible.

> rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter
> (samaccountname=USERNAME)
..
> rlm_ldap: looking for check items in directory...
> 
> rlm_ldap: looking for reply items in directory...

  Nothing.  i.e. The user was found, but *nothing* more than that was found.

> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user

  The server doesn't know how to authenticate the user, so the user is
rejected.

  Please explain a little more what you're trying to do, and what you
expect to see where.  Right now, you're trying to debug a solution.
Instead, focus on the problem, and the solution may be simple (or
impossible).

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list