AD authorization with LDAP module? Mix with other methods necessary?
aland at deployingradius.com
Wed Jan 22 13:40:11 CET 2020
On Jan 22, 2020, at 2:10 AM, uj2.hahn at posteo.de wrote:
> I have a running freeradius instance on Ubuntu for authorization against Windows AD, based on ntlm_auth.
> But to get more group depended post-auth capabilities I thought I can switch to LDAP module.
> I tested that in a test installation with OpenLDAP (instead of AD) and it worked fine.
> But now I was going to rollout this method to AD and failed to check the good password.
> Of course I'm aware that OpenLDAP and AD handles passwords differently so the surprise was not too big.
> So my questions are:
> - can I mix ntlm_auth for authorization and LDAP to do some group depended post-auth actions?
Yes. They're just modules. That's why they're listed separately in the configuration. Because they're separate.
> - is that needed at all and there are ways to run LDAP only (in that case I probably did something
> wrong so far)?
AD will not export passwords to FreeRADIUS. So it's largely impossible to just use LDAP.
More information about the Freeradius-Users