Migrating FR 3.0.19 from using WINBIND to LDAP for AD auth
Matthew Newton
mcn at freeradius.org
Fri Aug 16 16:42:34 CEST 2019
On Fri, 2019-08-16 at 14:22 +0000, WAGHORN, Jason (NHS BORDERS) via
Freeradius-Users wrote:
> I'm planning to migrate the AD authentication method we use from
> WINBIND/NTLM_AUTH to LDAP to be able to control who has access to use
> devices.
Are you confusing authentication and authorisation?
How does changing the auth method alter who can get on?
> I'm sensing that the way to do this is to disable the ntlm_auth
> module, configure the ldap module, enable the ldap module and then
> modify the site config to use ldap instead of ntlm_auth?
Using LDAP (with AD) for auth will restrict you to using PAP methods
only. So basically TTLS/PAP.
> Has anyone else done it and have a set of steps to follow that they
> are willing to share? Just trying to avoid reinventing the wheel.
Sounds like you just need to keep ntlm/winbind auth and add an LDAP
lookup to check that the user authenticating is actually allowed on or
not.
--
Matthew
More information about the Freeradius-Users
mailing list