>> How can I do this and how "magic" could I rewrite the DN?
>> The local ldap DIT and the AD DIT are totally different (different OU
>> structure). It is much more than rewrite the base DN.
>> When there's no way to determine the DN in AD DIT again I think I can
>> achieve this more easy using ntlm_auth because I just want to check the
>> password against AD, am I right?
>
>Yes.
>
>update control {
> LDAP-BaseDN !* ANY
>}
>open_ldap.authorize
>open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured
ntlm_auth to keep the freeradius config more simple.
Then I have defined a new Auth-Type which does ntlm_auth and in case of reject
it will fall back to the ldap module. (in case active directory server is not
available)
authorize {
...
ldap_local
...
}
authenticate {
...
Auth-Type AD {
ntlm_auth {
reject = 2
}
if (reject) {
ldap_local
}
}
...
}
For users who are in active directory I added a new radius profile which sets
Auth-Type to "AD".
Users who are only in local ldap, the module does this automatically.
Kind regards.
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
