On 4 Sep 2013, at 13:10, "Hachmer, Tobias" <tobias.hach...@stadt-frankfurt.de> wrote:
>>> How can I do this and how "magic" could I rewrite the DN? >>> The local ldap DIT and the AD DIT are totally different (different OU >>> structure). It is much more than rewrite the base DN. >>> When there's no way to determine the DN in AD DIT again I think I can >>> achieve this more easy using ntlm_auth because I just want to check the >>> password against AD, am I right? >> >> Yes. >> >> update control { >> LDAP-BaseDN !* ANY >> } >> open_ldap.authorize >> open_ldap > > Thanks Arran for the answer. I dropped the ldap module for AD and configured > ntlm_auth to keep the freeradius config more simple. > Then I have defined a new Auth-Type which does ntlm_auth and in case of > reject it will fall back to the ldap module. (in case active directory server > is not available) > > authorize { > ... > ldap_local > ... > } > > authenticate { > ... > Auth-Type AD { > ntlm_auth { > reject = 2 > } > if (reject) { > ldap_local > } > } > ... > } > > For users who are in active directory I added a new radius profile which sets > Auth-Type to "AD". > Users who are only in local ldap, the module does this automatically. Ah, fair enough. Just be aware that LDAP bind will be significantly faster than calling out to ntlm_auth. Doesn't matter if you've got fairly light auth traffic, but may be a factor if your server(s) are heaving loaded. Arran Cudbard-Bell <a.cudba...@freeradius.org> FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html