Jonathan L Ocab wrote: > I believe you shed light onto the AD situation, but one item of note is that > my campus' primary user store is OpenLDAP and is what is used by our > production FreeRADIUS services.
Authenticating *only* to OpenLDAP is easy, and it works. > What I need to do is so our primary AD forest's domain controllers can be > used. An Active Directory domain authenticated host/workstation would need to > use AD for the user store and anything else would go against OpenLDAP. I don't know what that means. You're using AD to store user information, and LDAP for "everything else". What is "everything else"? Why would it matter to RADIUS? > But we also have the issue where there are separate AD forests in our campus > environment. If they're completely separate, your best bet is to run one VM per AD forest. Have the VM run FreeRADIUS + Samba. Configure a central FreeRADIUS proxy to send packets to the appropriate VM. > I will do some testing in my development environment to leverage ntlm_auth > against our main campus AD store. That's the best way. If it works for ntlm_auth, FreeRADIUS can just leverage that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
