differentiate authoriztion/ authentication in separate ldap modules

Michael Schwartzkopff ms at sys4.de
Tue Sep 3 09:38:56 CEST 2013 

Am Dienstag, 3. September 2013, 07:27:47 schrieb Hachmer, Tobias:
> Hello list,
> 
> first of all a bit background about my environment:
> 
> 
> -       CentOS 6.4
> 
> -       FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built
> on Oct  3 2012 at 01:22:51
> 
> -       OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)
> 
> Here we use Microsoft Active Directory (not in our responsibility) for User
> Authentication. I have set up an OpenLDAP Master/ Slave construct
> (syncrepl) for RADIUS authorization and (fallback) authentication, like:
> 
>                                    LDAP Master
> 
>     
> ---------------------------------------------------------------------------
> -----
> 
> RADIUS Primary                                              RADIUS Secondary
> local LDAP copy                                              local LDAP
> copy
> 
> All RADIUS authorization information are stored in the OpenLDAP DIT using
> RADIUS profiles. The usernames in OpenLDAP DIT and in Active Directory are
> the same.
> 
> The normal scenario should be:
> 
> -       retrieve authorization from openldap dit (module ldap_openldap)
> 
> -       authenticate the user (password verification) against active
> directory (module ldap_ad)
> 
> o    if active directory server isn't reachable check password against
> module ldap_openldap
> 
> Problem:
> After the module ldap_openldap has found the DN for the requesting user
> freeradius uses the same DN to bind against module ldap_ad. I know this
> can't work.
> 
> Is there a possible solution for this using ldap?
> 
> -       Configure module ldap_ad to determine the DN of user again?
> 
> -       Rewrite DN?
> 
> If not, would this work using ntlm_auth?
> 
> Any help appreciated.
> 
> Kind regards,
> Tobias Hachmer

As far as I know it is not possible to use a ldap module to authenticate 
agains AD. See this page for protocol compatibility:

http://deployingradius.com/documents/protocols/compatibility.html


See also the setup guide for ntlm. The first lines say: "The clear-text 
passwords are unavailable through Active Directory, so we have to use Samba, 
and the ntlm_auth helper program".

http://deployingradius.com/documents/configuration/active_directory.html

Greetings,

-- 
Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130903/25a4aef5/attachment.html>

More information about the Freeradius-Users mailing list