LDAP and/or Active Directory

Alan DeKok aland at deployingradius.com
Tue Mar 25 21:55:38 CET 2014

Mischa Diehm wrote:
> For me using ntlm_auth seems like a great deal of adding complexity and
> dependencies compared to using ldap. I see no real gain in the ntlm_auth
> road when it comes to User-Auth.

  You're missing the point.  Active Directory does *not* give a password
to FreeRADIUS, so that FreeRADIUS can do the authentication.

  For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth.
It doesn't matter if you think it's complex.  It's the ONLY choice.

> Using it for group-validation is a different story and could - for us -
> be very handy since our Groups are defined and stored in AD and haven't
> found their way into LDAP yet. So I was looking for a way to achieve that. 

  For group lookups, AD is just an LDAP server.  That works.

> "During authentication, AuthBy ADSI check and honours AccountDisabled,
> IsAccount- Locked and LoginHours for the user being authenticated. It
> also checks the users pass- word (by attempting to change it). Because
> Active Directory does not make the plaintext password available, <AuthBy
> ADSI> only supports PAP, not CHAP or MSCHAP authentication."

  Yes.... FreeRADIUS can do "Auth-Type := LDAP" with PAP authentication
to AD.  You don't need ntlm_auth for that.

> This would not be usable in case of eduroam (restrictions you guys
> already mentioned concerning AD as LDAP equivalent) but in almost all of
> our other use cases where we have the Password transmitted.

  The use Auth-Type := LDAP.

> Has this
> been looked at or event implemented within freeradius?

  Yes... we've been doing this for 15 years.

> Maybe it's
> already possible to use this with the LDAP module?

  Yes, for User-Password in the Access-Request.

  Alan DeKok.

More information about the Freeradius-Users mailing list