Hello list,
first of all a bit background about my environment:
- CentOS 6.4
- FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on
Oct 3 2012 at 01:22:51
- OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)
Here we use Microsoft Active Directory (not in our responsibility) for User
Authentication.
I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS
authorization and (fallback) authentication, like:
LDAP Master
|
--------------------------------------------------------------------------------
|
|
RADIUS Primary RADIUS Secondary
local LDAP copy local LDAP copy
All RADIUS authorization information are stored in the OpenLDAP DIT using
RADIUS profiles.
The usernames in OpenLDAP DIT and in Active Directory are the same.
The normal scenario should be:
- retrieve authorization from openldap dit (module ldap_openldap)
- authenticate the user (password verification) against active directory
(module ldap_ad)
o if active directory server isn't reachable check password against module
ldap_openldap
Problem:
After the module ldap_openldap has found the DN for the requesting user
freeradius uses the same DN to bind against module ldap_ad. I know this can't
work.
Is there a possible solution for this using ldap?
- Configure module ldap_ad to determine the DN of user again?
- Rewrite DN?
If not, would this work using ntlm_auth?
Any help appreciated.
Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
