>> How can I do this and how "magic" could I rewrite the DN? >> The local ldap DIT and the AD DIT are totally different (different OU >> structure). It is much more than rewrite the base DN. >> When there's no way to determine the DN in AD DIT again I think I can >> achieve this more easy using ntlm_auth because I just want to check the >> password against AD, am I right? > >Yes. > >update control { > LDAP-BaseDN !* ANY >} >open_ldap.authorize >open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple. Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available) authorize { ... ldap_local ... } authenticate { ... Auth-Type AD { ntlm_auth { reject = 2 } if (reject) { ldap_local } } ... } For users who are in active directory I added a new radius profile which sets Auth-Type to "AD". Users who are only in local ldap, the module does this automatically. Kind regards. Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html