Re: FreeRadius and Active Directory and SSSD
Approaching the problem from a different direction: Rather than "integrating" FR with Active Directory, could I set it up to use LDAP as the Auth-Type ? On 5/9/22, 16:09, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+daniel.e.white=nasa.gov@lists.freeradius.org on behalf of aland@deployingradius.com> wrote: On May 9, 2022, at 3:33 PM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: > > An observation: > The instructions seem to only cover winbind. > As an example, it says to use the "ntlm_auth" command. That command is not part of sssd. See the sssd documentation for other commands to test user name / password authentication with sssd. We didn't write sssd, and we don't know much about it. > Is there a newer version of that guide page that uses sssd instead of winbind ? There is no secret documentation. All of the documentation is public, and is publicly accessible. The Wiki can be edited. If you figure things out, please document them so that other people don't run into the same issues. Waiting for the FR developers to do everything may very well be a lost cause in some cases. Alan DeKok.
On May 10, 2022, at 8:21 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Approaching the problem from a different direction: Rather than "integrating" FR with Active Directory, could I set it up to use LDAP as the Auth-Type ?
It depends. PAP? Yes. MS-CHAP? No. The documentation has endless examples of using Samba for AD integration, because in many cases it's required. e.g. for MS-CHAP. Perhaps instead of asking what's possible, describe what you want to do. We can then say how to do it. FreeRADIUS can do almost anything. The main limitations are external. i.e. certain EAP methods don't work with Active Directory, or with certain password storage methods. But if it's possible to do in RADIUS, FreeRADIUS can do it. Alan DeKok.
If you want to do MS-CHAPv2 against AD winbind is probably your only bet, as described in docs. sssd does not do ntlm protocol and I am almost certain it never will be (why would it?) But if PAP or EAP-TTLS is fine, you have options. See http://deployingradius.com/documents/protocols/compatibility.html for compatibility. J. On Tue, May 10, 2022 at 2:22 PM White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Approaching the problem from a different direction: Rather than "integrating" FR with Active Directory, could I set it up to use LDAP as the Auth-Type ?
On 5/9/22, 16:09, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+daniel.e.white=nasa.gov@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On May 9, 2022, at 3:33 PM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: > > An observation: > The instructions seem to only cover winbind. > As an example, it says to use the "ntlm_auth" command. That command is not part of sssd.
See the sssd documentation for other commands to test user name / password authentication with sssd. We didn't write sssd, and we don't know much about it.
> Is there a newer version of that guide page that uses sssd instead of winbind ?
There is no secret documentation. All of the documentation is public, and is publicly accessible.
The Wiki can be edited. If you figure things out, please document them so that other people don't run into the same issues. Waiting for the FR developers to do everything may very well be a lost cause in some cases.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Josef Vybíhal -
White, Daniel E. (GSFC-770.0)[AEGIS]