Limitation of authenticating against AD

Alan DeKok aland at
Wed Sep 3 20:01:41 CEST 2014

Dennis Xu wrote:
> Thanks for the information. So FreeRadius uses LDAP to authenticate against AD and LDAP cannot read the passwords in those formats. Apparently ACS has a different implementation on authenticating against AD that they don't care about the password format stored in AD:

  ACS has either (a) used the NT domain API, like Samba 3 does.  Or (b)
used the new AD replication protocol like Samba 4 does.

  So there's nothing special about ACS.  Other than they're Cisco, and
can afford ten million dollars to inter-operate with AD.

  We will NOT be re-writing Samba.  The way to interact with AD is
Samba.  Full stop.  No other alternative is possible.

  Alan DeKok.

More information about the Freeradius-Users mailing list