AD authorization with LDAP module? Mix with other methods necessary?
uj2.hahn at posteo.de
uj2.hahn at posteo.de
Wed Jan 22 20:06:34 CET 2020
Thanks, Alan and Jason!
And sorry to ask these questions for 451st time.... ;-)
Regards
Uwe
On 22.01.2020 13:40, Alan DeKok wrote:
> On Jan 22, 2020, at 2:10 AM, uj2.hahn at posteo.de wrote:
>> I have a running freeradius instance on Ubuntu for authorization against Windows AD, based on ntlm_auth.
>> But to get more group depended post-auth capabilities I thought I can switch to LDAP module.
> Yes.
>
>> I tested that in a test installation with OpenLDAP (instead of AD) and it worked fine.
>> But now I was going to rollout this method to AD and failed to check the good password.
>> Of course I'm aware that OpenLDAP and AD handles passwords differently so the surprise was not too big.
>>
>> So my questions are:
>> - can I mix ntlm_auth for authorization and LDAP to do some group depended post-auth actions?
> Yes. They're just modules. That's why they're listed separately in the configuration. Because they're separate.
>
>> - is that needed at all and there are ways to run LDAP only (in that case I probably did something
>> wrong so far)?
> AD will not export passwords to FreeRADIUS. So it's largely impossible to just use LDAP.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list