Freeradius Auth via LDAP against Active Directory Server 2003

[Jacob Jarick]

I have been at this for awhile now, so I thought I would share a
summary of what I have figured out so far for anyone else that decides
to try this.

1 - Documentation for this particular configuration is either out of
date / incomplete / both. There are no howtos that will get from start
to end (if you do know of one or wrote one yourself please share - I
will myself when I figure it all out).

2 - Most the trouble is due to the fact we are making a linux service
talk to a windows service (AD LDAP). Freeradius talking to the linux
passwd file is a breeze by comprassion.

3 - Windows 2003 LDAP implementation will not provide a password when
a user/ service preforms a ldap search, the proper way If I understand
correctly is to supply plain text username / password then freeradius
preforms a bind with the provided credentials against your ADS server,
success means the password was correct.

4 - Installing "Services For Unix" on 2003 will make AD LDAP provide a
password hash attribute among other unix LDAP attributes. The user has
have posix enabled.

5 - Anonymous searchs can be preformed on 2003 AD LDAP if you set
dSHeuristics to 0000002 using adsiedit.msc.

6 - Microsofts LDAP is different to Novells (big surprise) and so
unfortunately their documentation isnt to helpfull as a reference for
people trying to use ADS in the same fashion.