LDAP and/or Active Directory
Alan DeKok
aland at deployingradius.com
Tue Mar 25 21:55:38 CET 2014
Mischa Diehm wrote:
> For me using ntlm_auth seems like a great deal of adding complexity and
> dependencies compared to using ldap. I see no real gain in the ntlm_auth
> road when it comes to User-Auth.
You're missing the point. Active Directory does *not* give a password
to FreeRADIUS, so that FreeRADIUS can do the authentication.
For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth.
It doesn't matter if you think it's complex. It's the ONLY choice.
> Using it for group-validation is a different story and could - for us -
> be very handy since our Groups are defined and stored in AD and haven't
> found their way into LDAP yet. So I was looking for a way to achieve that.
For group lookups, AD is just an LDAP server. That works.
> "During authentication, AuthBy ADSI check and honours AccountDisabled,
> IsAccount- Locked and LoginHours for the user being authenticated. It
> also checks the users pass- word (by attempting to change it). Because
> Active Directory does not make the plaintext password available, <AuthBy
> ADSI> only supports PAP, not CHAP or MSCHAP authentication."
Yes.... FreeRADIUS can do "Auth-Type := LDAP" with PAP authentication
to AD. You don't need ntlm_auth for that.
> This would not be usable in case of eduroam (restrictions you guys
> already mentioned concerning AD as LDAP equivalent) but in almost all of
> our other use cases where we have the Password transmitted.
The use Auth-Type := LDAP.
> Has this
> been looked at or event implemented within freeradius?
Yes... we've been doing this for 15 years.
> Maybe it's
> already possible to use this with the LDAP module?
Yes, for User-Password in the Access-Request.
Alan DeKok.
More information about the Freeradius-Users
mailing list