differentiate authoriztion/ authentication in separate ldap modules
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 4 15:01:39 CEST 2013
On 4 Sep 2013, at 13:10, "Hachmer, Tobias" <Tobias.Hachmer at stadt-frankfurt.de> wrote:
>>> How can I do this and how "magic" could I rewrite the DN?
>>> The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN.
>>> When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
>>
>> Yes.
>>
>> update control {
>> LDAP-BaseDN !* ANY
>> }
>> open_ldap.authorize
>> open_ldap
>
> Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple.
> Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available)
>
> authorize {
> ...
> ldap_local
> ...
> }
>
> authenticate {
> ...
> Auth-Type AD {
> ntlm_auth {
> reject = 2
> }
> if (reject) {
> ldap_local
> }
> }
> ...
> }
>
> For users who are in active directory I added a new radius profile which sets Auth-Type to "AD".
> Users who are only in local ldap, the module does this automatically.
Ah, fair enough. Just be aware that LDAP bind will be significantly faster than calling out to ntlm_auth.
Doesn't matter if you've got fairly light auth traffic, but may be a factor if your server(s) are heaving loaded.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list