AD authorization with LDAP module? Mix with other methods necessary?

uj2.hahn at posteo.de uj2.hahn at posteo.de
Wed Jan 22 20:06:34 CET 2020


Thanks, Alan and Jason!
And sorry to ask these questions for 451st time.... ;-)

Regards
Uwe

On 22.01.2020 13:40, Alan DeKok wrote:
> On Jan 22, 2020, at 2:10 AM, uj2.hahn at posteo.de wrote:
>> I have a running freeradius instance on Ubuntu for authorization against Windows AD, based on ntlm_auth.
>> But to get more group depended post-auth capabilities I thought I can switch to LDAP module.
>    Yes.
>
>> I tested that in a test installation with OpenLDAP (instead of AD) and it worked fine.
>> But now I was going to rollout this method to AD and failed to check the good password.
>> Of course I'm aware that OpenLDAP and AD handles passwords differently so the surprise was not too big.
>>
>> So my questions are:
>> - can I mix ntlm_auth for authorization and LDAP to do some group depended post-auth actions?
>    Yes.  They're just modules.  That's why they're listed separately in the configuration.  Because they're separate.
>
>> - is that needed at all and there are ways to run LDAP only (in that case I probably did something
>>    wrong so far)?
>    AD will not export passwords to FreeRADIUS.  So it's largely impossible to just use LDAP.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list