How can i authenticate my users against Active Directory?
Hi @ all, I'm a freeradius newbie and try to authenticate a user against a active directory . My freeradius has version 1.0.2 I googled a lot and found differend hints how to implement this. (ntlm, pam-module), but no configuration example. Which of these ways is the securest way? Are there any other possibilities? Are there any manuals/helps or can someone discribe me how to implement this? thx Christian Schuster
On Wed, Jun 29, 2005, Schuster Christian wrote:
I googled a lot and found differend hints how to implement this. (ntlm, pam-module), but no configuration example.
ntlm_auth works well and has been discussed several times on this list (look at the archives). You can look at my config files : http://ramiel.via.ecp.fr/~endy/config-radius.tar.bz2 (authorization using an external script + MSCHAPv2 ntlm_auth authentication + SQL accounting)
Are there any manuals/helps or can someone discribe me how to implement this?
I have been looking for such a manual for a while a few months ago, but i found nothing comprehensive :( I plan on writing something when i have more time. -- Alexandre Coninx
On Wed, 29 Jun 2005, Schuster Christian wrote:
Hi @ all,
I'm a freeradius newbie and try to authenticate a user against a active directory . My freeradius has version 1.0.2
I googled a lot and found differend hints how to implement this. (ntlm, pam-module), but no configuration example.
Which of these ways is the securest way?
Are there any other possibilities?
Are there any manuals/helps or can someone discribe me how to implement this?
AD runs ldap, you could always try just using the ldap module to authenticate the user to your AD directory. There are several people doing it that have posted to this list, check the archives.
Dusty Doris <freeradius@mail.doris.cc> wrote:
AD runs ldap, you could always try just using the ldap module to authenticate the user to your AD directory.
Nope. AD doesn't provide the password.
Alan DeKok.
Depending on if you really need it. You can always do an ldap search to AD for authorization and if the password is coming over in clear text, you could just do a bind against AD for authentication. Correct?
participants (4)
-
Alan DeKok -
Alexandre Coninx -
Dusty Doris -
Schuster Christian