AW: differentiate authoriztion/ authentication in separate ldap modules
Hachmer, Tobias
Tobias.Hachmer at stadt-frankfurt.de
Wed Sep 4 14:10:02 CEST 2013
>> How can I do this and how "magic" could I rewrite the DN?
>> The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN.
>> When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
>
>Yes.
>
>update control {
> LDAP-BaseDN !* ANY
>}
>open_ldap.authorize
>open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple.
Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available)
authorize {
...
ldap_local
...
}
authenticate {
...
Auth-Type AD {
ntlm_auth {
reject = 2
}
if (reject) {
ldap_local
}
}
...
}
For users who are in active directory I added a new radius profile which sets Auth-Type to "AD".
Users who are only in local ldap, the module does this automatically.
Kind regards.
Tobias Hachmer
More information about the Freeradius-Users
mailing list