LDAP and AD authentication on the same FreeRadius server

Alan DeKok aland at deployingradius.com
Mon Jul 23 15:06:11 CEST 2018


On Jul 23, 2018, at 5:26 AM, Denis CLAVIER via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I am trying to set up a FreeRadius server for a VPN connection used by users stored in an LDAP or in an AD. I succeeded to authenticate on LDAP and on AD separately with the two following radtest commands : 
> 
> LDAP : radtest dclavier "password" localhost 0 testing123
> AD : radtest -t mschap dclavier "Password1234*" localhost 0 testing123
> 
> However, I would like to configure the FreeRadius server to authenticate users on LDAP or AD, based on the realm. For example, user dclavier at ldap.com should use ldap authentication, and dclavier at ad.com should use mschap authentication (or ntlm_auth) without specifying which method to use. So, I would like FreeRadius to choose the right Auth-Type according to the realm. At least, I would like FreeRadius to try the second auth-type if the first failed.

  It's better to do it right the first time.  Getting it wrong and doing something else is bad.

> I looked at the proxy.conf file to perform what I want, but I can't find how to specify the auth type for each realm.

  You have to put that together yourself.

  FreeRADIUS gives you the tools to solve problems.  It doesn't give you every solution to every possible problem that everyone can have.

> So I would like to know if it is possible to perform authentication for users from LDAP and users from AD with only one FreeRadius server. If yes, I would be happy if you can suggest how to do it.

  Configure the two realms:

ldap.com {
}

ad.com{
}

  This tells the server that the realms exist, but that they shouldn't be proxied anywhere.  The documentation in "proxy.conf" should give you more guidance here.

  Then, in the "authorize" section, after the "suffix" module, do:

	if (Realm == "ldap.com") {
		update control {
			Auth-Type := "ldap"
		}
	}
	elsif (Realm == "ad.com") {
		update control {
			Auth-Type := "ad"
		}

	}

  Alan DeKok.




More information about the Freeradius-Users mailing list