Re: Freeradius and Active Directory Question
This is a discussion on Re: Freeradius and Active Directory Question within the FreeRADIUS Users forums, part of the Networking and Network Related category; You're making this more complicated than it is (and please don't talk about me like I'm not ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2005
|
|||
|
|||
Re: Freeradius and Active Directory Question
You're making this more complicated than it is (and please don't talk
about me like I'm not here). To authenticate plain credentials against AD is no different than authenticating against any other LDAP server except for the fact that your uid attribute is different. So, read the docs for the LDAP module (rlm_ldap), add the ldap module to your authorize and authenticate blocks, and make sure your search filter in your ldap module configuration looks something like: filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" instead of the default, which uses "uid" as the LDAP search attribute. You don't need to extend the schema of your AD tree. It already has everything you need for simple authentication. Part of the reason I said it was overkill is that, in order to get it to work, you have to jump through the hoops of getting Samba set up correctly (with winbindd) and get your machine joined to your domain. With LDAP, you don't have to rely on an external piece to do this, all the necessary pieces are completely internal to FreeRADIUS. This only works in cases where you're getting cleartext credentials from the client (hopefully tunneled via SSL or the like). Since this is the case in your scenario, that works. Now, as to your question of whether or not the mschap module will work for your application, it won't... not the way it's currently coded. You could, however, force the use of ntlm_auth yourself with cleartext credentials using rlm_exec, however that's a horrible kludge when you can just use LDAP. --Mike Graham, Robert wrote: >What is the best way to authenticate users against Active Directory via Freeradius? Is it with ntlm_auth or LDAP? My scenario is to authenicate our VPN users (using Cisco VPN clients and VPN concentrators) to authenticate against AD via radius. Somebody mentioned that if MSCHAP is not used during the process that ntlm_auth is overkill. Does that mean it will not work? But, if it does work, how do I go about doing it? If ntlm_auth is not a viable solution, how about LDAP? In this case, will I need to install AD4UNIX or Microsoft's services for Unix to extend the schema of our Active Directory? And have the Administrator's BaseDN and password hard coded in the ldap.conf file so searches would be possible? > >Hopefully, someone out there has done this and could provide some pointers... > >Thanks in advance >Robert Graham > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
