On 4 Sep 2013, at 13:10, "Hachmer, Tobias" <Tobias.Hachmer@stadt-frankfurt.de> wrote:
How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
Yes.
update control { LDAP-BaseDN !* ANY } open_ldap.authorize open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple. Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available)
authorize { ... ldap_local ... }
authenticate { ... Auth-Type AD { ntlm_auth { reject = 2 } if (reject) { ldap_local } } ... }
For users who are in active directory I added a new radius profile which sets Auth-Type to "AD". Users who are only in local ldap, the module does this automatically.
Ah, fair enough. Just be aware that LDAP bind will be significantly faster than calling out to ntlm_auth. Doesn't matter if you've got fairly light auth traffic, but may be a factor if your server(s) are heaving loaded. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team