On 4 Sep 2013, at 13:10, "Hachmer, Tobias" <tobias.hach...@stadt-frankfurt.de>
wrote:
>>> How can I do this and how "magic" could I rewrite the DN?
>>> The local ldap DIT and the AD DIT are totally different (different OU
>>> structure). It is much more than rewrite the base DN.
>>> When there's no way to determine the DN in AD DIT again I think I can
>>> achieve this more easy using ntlm_auth because I just want to check the
>>> password against AD, am I right?
>>
>> Yes.
>>
>> update control {
>> LDAP-BaseDN !* ANY
>> }
>> open_ldap.authorize
>> open_ldap
>
> Thanks Arran for the answer. I dropped the ldap module for AD and configured
> ntlm_auth to keep the freeradius config more simple.
> Then I have defined a new Auth-Type which does ntlm_auth and in case of
> reject it will fall back to the ldap module. (in case active directory server
> is not available)
>
> authorize {
> ...
> ldap_local
> ...
> }
>
> authenticate {
> ...
> Auth-Type AD {
> ntlm_auth {
> reject = 2
> }
> if (reject) {
> ldap_local
> }
> }
> ...
> }
>
> For users who are in active directory I added a new radius profile which sets
> Auth-Type to "AD".
> Users who are only in local ldap, the module does this automatically.
Ah, fair enough. Just be aware that LDAP bind will be significantly faster
than calling out to ntlm_auth.
Doesn't matter if you've got fairly light auth traffic, but may be a factor if
your server(s) are heaving loaded.
Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
