Multiple AD's and domains?
Hi Guys, I have an upcoming project where the setup is going to be something along the following: Client logs in using their username/password for domain FreeRadius authenticates the user against the AD server for that domain There will be clients using the service from MULTIPLE different AD domains with multiple different AD servers. The freeRadius version will be built from the latest stable source. Now, the stock standard way of authenticating against AD is using samba, joining the domain, and using NTLM Auth. Since I have multiple AD domains, how would this best be handled? I know that PHP is capable of using LDAP to authenticate against an AD server. Can freeRadius also do this? How, or why not? Thanks, ~Justin
Justin Steward wrote:
Now, the stock standard way of authenticating against AD is using samba, joining the domain, and using NTLM Auth. Since I have multiple AD domains, how would this best be handled?
I know that PHP is capable of using LDAP to authenticate against an AD server. Can freeRadius also do this? How, or why not?
ntlm_auth has a --domain parameter. It can be used to authenticate different domains. However... they all need to be part of the same AD forest / whatever. You CANNOT authenticate to two completely independent AD systems. This is a fundamental limitation of AD. Alan DeKok.
On Wed, Jul 22, 2009 at 11:22 AM, Alan DeKok <aland@deployingradius.com>wrote:
However... they all need to be part of the same AD forest / whatever. You CANNOT authenticate to two completely independent AD systems. This is a fundamental limitation of AD.
That's more or less what I was expecting. That is what I need to do, however. I suppose in that case I would need my radius server to proxy to other radius servers for each domain. And with regard to my other question, can I just use plain ol' LDAP to authenticate? A successful LDAP Bind is all I need for our purposes. ~Justin
On Wed, Jul 22, 2009 at 10:15 PM, Alan DeKok <aland@deployingradius.com>wrote:
Justin Steward wrote:
And with regard to my other question, can I just use plain ol' LDAP to authenticate? A successful LDAP Bind is all I need for our purposes.
That will work for PAP.
Ok, thanks for confirmation. Kind Regards, Justin Steward
On Jul 22, 2009, at 02:22 , Alan DeKok wrote:
However... they all need to be part of the same AD forest / whatever. You CANNOT authenticate to two completely independent AD systems. This is a fundamental limitation of AD.
Hi, Well, they don't need to be part of the same forest if you create simple trusts between the multiple AD's. But if you have a Forest, this means you will have Transitive Trusts between the domains. Therefore you can authenticate in every domain (via ntlm_auth). Just to emphasize the key requisite is Trusts between domains/forests and not that they need to be in the same forest. Cheers, Luis Azevedo http://www.braceta.com
participants (3)
-
Alan DeKok -
Justin Steward -
Luis Azevedo