LDAP and/or Active Directory

Mischa Diehm mischa.diehm at unibas.ch
Wed Mar 26 12:22:46 CET 2014


Hi,


From:  Alan DeKok <aland at deployingradius.com>
Reply-To:  FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Date:  Dienstag, 25. März 2014 21:55
To:  FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject:  Re: LDAP and/or Active Directory

> Mischa Diehm wrote:
>>  For me using ntlm_auth seems like a great deal of adding complexity and
>>  dependencies compared to using ldap. I see no real gain in the ntlm_auth
>>  road when it comes to User-Auth.
> 
>   You're missing the point.  Active Directory does *not* give a password
> to FreeRADIUS, so that FreeRADIUS can do the authentication.
> 
>   For MS-CHAP or PEAP, your *only* choice with AD is to use ntlm_auth.
> It doesn't matter if you think it's complex.  It's the ONLY choice.

Thanks for the clarification. My main intent wasn't to make PEAP/MS-CHAP
work but to have PAP work with AD. Now after some more reading and
discussion I'm quite confident it is possible to sync sambaNTPassword to the
global catalog of AD (which we use also use in the PAP auth) and have things
aligned and in a way that is actually less complex and less slow using the
ldap module. I will be testing this in the near future.

In a private discussion with a list member I was told that PAP is much less
secure than using MSCHAPv2 but I disagree with this argument. No gain in
terms of security when using MSCHAPv2. Both need a secure transport layer.

Summing this up I think the lesson learned - at least for me - is that it
doesn't really matter if you have AD or LDAP as a backend store. You can
have the full flexibility with both backends.

Mischa





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140326/0374d368/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2202 bytes
Desc: not available
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140326/0374d368/attachment-0001.bin>


More information about the Freeradius-Users mailing list