AD Authentication Permissions

A.L.M.Buxey at A.L.M.Buxey at
Sat Jan 5 13:29:01 CET 2013


> (protest if this may sound like hijacking this thread...)
> As short question since Tyler was asking for AD as backend - which I
> have read (so far)
> can't use the LDAP module since AD stores ntlm hashes - at least not
> for authentication.

huh? this wasnt about authentication, it was about authorization - ie
passing back details about what a user can do on some kit - that works fine
100% fine with LDAP and AD

> But then for LDAP groups how is that supposed to be done when using
> Samba/Winbind/ntlm_auth?

?? it isnt. ntlm_auth/samba/winbindd is purely for authentication - for
authorization you use the LDAP module talking to your AD and use the AD
as a DB oracle not an authentication source

> Can I use LDAP groups for authorization (interestingly something I've
> not really found covered online or in FreeRADIUS books I've had at
> hand).

its all covered in the books/docs/wiki


More information about the Freeradius-Users mailing list