differentiate authoriztion/ authentication in separate ldap modules

Hachmer, Tobias Tobias.Hachmer at stadt-frankfurt.de
Tue Sep 3 09:27:47 CEST 2013

Hello list,

first of all a bit background about my environment:

-       CentOS 6.4

-       FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct  3 2012 at 01:22:51

-       OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)

Here we use Microsoft Active Directory (not in our responsibility) for User Authentication.
I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like:

                                   LDAP Master
     |                                                                               |
RADIUS Primary                                              RADIUS Secondary
local LDAP copy                                              local LDAP copy

All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles.
The usernames in OpenLDAP DIT and in Active Directory are the same.

The normal scenario should be:

-       retrieve authorization from openldap dit (module ldap_openldap)

-       authenticate the user (password verification) against active directory (module ldap_ad)

o    if active directory server isn't reachable check password against module ldap_openldap

After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work.

Is there a possible solution for this using ldap?

-       Configure module ldap_ad to determine the DN of user again?

-       Rewrite DN?

If not, would this work using ntlm_auth?

Any help appreciated.

Kind regards,
Tobias Hachmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130903/ba2b2f8f/attachment-0001.html>

More information about the Freeradius-Users mailing list