LDAP and/or Active Directory

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Mar 22 09:46:26 CET 2014

On 22 Mar 2014, at 08:29, Mischa Diehm <mischa.diehm at unibas.ch> wrote:

> Hi
>>   Active Directory isn't really an LDAP server.  At least, not where it
>> matters.
> There is a huge discussion at the moment at our University where the AD people want to get rid of our central Open-LDAP-Servers with exactly this argument: "AD is a ldap-server like any other". Now I read this comment and would really appreciate if someone could be a little more verbose on the topic or point me to the documentation on how it differs especially from a FreeRadius perspective.

 AD doesn't expose the cleartext version or NT-Password hash of the user's password meaning you have to use ntlm_auth for authentication.

> As an example:
> For me it is not clear if I could just use AD as a LDAP-Backend (instead of OpenLDAP) and keep my eduroam configuration otherwise the same or if I would have to switch to ntlm_auth to get things back to working - which I would really want to avoid since I don't see a reason making thing more complex by having samba and other new dependencies...

You would have to switch to ntlm_auth, or change EAP method. The current ntlm_auth interface with Active Directory is comparatively slow to libldap and OpenLDAP. Performance is likely to be in the hundreds of requests per second, whereas FreeRADIUS and OpenLDAP is in the 10s of thousands.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140322/8912d3e8/attachment.pgp>

More information about the Freeradius-Users mailing list