LDAP and/or Active Directory

Mischa Diehm mischa.diehm at unibas.ch
Mon Mar 24 09:51:50 CET 2014


first of all thanks for the clarifying and quick responses - really appreciate it!

There hasn't been, so far, a completion of that conversation. .. ie exhaustive list of things you can do our steps to take to improve that queries/sec value with AD. The discussion did cover certain things , samba 4 rather than 3, tweaks to ntlm_auth, tweaks to code... tweaks to the AD system you're talking to etc. Am keeping my eyes/ears open for further input and will write up where necessary.

For me using ntlm_auth seems like a great deal of adding complexity and dependencies compared to using ldap. I see no real gain in the ntlm_auth road when it comes to User-Auth.

Using it for group-validation is a different story and could - for us - be very handy since our Groups are defined and stored in AD and haven't found their way into LDAP yet. So I was looking for a way to achieve that.

When looking around I found that radiator has sth. called Auth-By ADSI (Active Directory Service Interfaces<https://en.wikipedia.org/w/index.php?title=Active_Directory_Service_Interfaces&redirect=no>). In the description it says:

"During authentication, AuthBy ADSI check and honours AccountDisabled, IsAccount- Locked and LoginHours for the user being authenticated. It also checks the users pass- word (by attempting to change it). Because Active Directory does not make the plaintext password available, <AuthBy ADSI> only supports PAP, not CHAP or MSCHAP authentication."

This would not be usable in case of eduroam (restrictions you guys already mentioned concerning AD as LDAP equivalent) but in almost all of our other use cases where we have the Password transmitted. Has this been looked at or event implemented within freeradius? Maybe it's already possible to use this with the LDAP module? I guess it also gets rid of the performance issues since we're back to ldap. It also removes the complexity addons due to samba installation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140324/2c646b28/attachment.html>

More information about the Freeradius-Users mailing list