differentiate authoriztion/ authentication in separate ldap modules
Hachmer, Tobias
Tobias.Hachmer at stadt-frankfurt.de
Tue Sep 3 09:27:47 CEST 2013
Hello list,
first of all a bit background about my environment:
- CentOS 6.4
- FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51
- OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)
Here we use Microsoft Active Directory (not in our responsibility) for User Authentication.
I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like:
LDAP Master
|
--------------------------------------------------------------------------------
| |
RADIUS Primary RADIUS Secondary
local LDAP copy local LDAP copy
All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles.
The usernames in OpenLDAP DIT and in Active Directory are the same.
The normal scenario should be:
- retrieve authorization from openldap dit (module ldap_openldap)
- authenticate the user (password verification) against active directory (module ldap_ad)
o if active directory server isn't reachable check password against module ldap_openldap
Problem:
After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work.
Is there a possible solution for this using ldap?
- Configure module ldap_ad to determine the DN of user again?
- Rewrite DN?
If not, would this work using ntlm_auth?
Any help appreciated.
Kind regards,
Tobias Hachmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130903/ba2b2f8f/attachment-0001.html>
More information about the Freeradius-Users
mailing list