the RADIUS server must use the LDAP protocol to connect to Active Directory
Hi all
I have a task the RADIUS server must use the LDAP protocol to connect to Active Directory on Debian, I configured Radius and it connects to Active Directory via ntlm_auth But you need to configure through the LDAP protocol Help |
I believe FreeRadius works with OpenLDAP.
|
OpenLDAP is a server
and LDAP itself is a protocol through which you can contact AD |
There are 2 ways to do this. One is to put the ldap config into radius, an example:
https://www.golinuxcloud.com/freerad...ADIUS_for_LDAP The other way is to define the auth module to use PAM and a service name, like MYRADIUS. Add the service name to /etc/pamd.d, then use the pam_ldap modules for authentication for that service. Since you are managing things that aren't in Linux, the config would be pretty stripped down, like Code:
I prefer to do it the pam way because I find radius configuration to be pretty esoteric and I can debug pam easier. If you are using the radius server for other things and you are good with radius, then I'd do the integrated way. |
1 way I know it is that you have an LDAP server and you get credentials from there
and I have to take data from AD through the LDAP protocol |
[QUOTE=elgrandeperro;6425465]There are 2 ways to do this. One is to put the ldap config into radius, an example:
https://www.golinuxcloud.com/freerad...ADIUS_for_LDAP 1 way I know it is that you have an LDAP server and you get credentials from there and I have to take data from AD through the LDAP protocol |
Or IDM gurus have been doing this for years at work.
Few years back they had to implement ldaps as plain ldap is considered a security risk https://learn.microsoft.com/en-us/tr...tion-authority |
ldap/ldaps, not much difference in the config except you need to use a different port and a cert.
There is a samba way to do this (join the domain) but this is not required. AD essentially IS a ldap server, you just have to follow its rules. Here is a link that uses pam_ldap, a 'search' account. I don't think you need nclsd for caching. https://www.virtono.com/community/tu...-under-debian/ Once again, your config (pam) is not to login but to provide the service to radius. The linux server itself DOES NOT use it for anything except for the pam file for the radius server. All you need is authenticate. You don't use common-auth. The you configure radius to use pam and the service name. You enable pam and use the pam_auth directive to use the pam module file in /etc/pam.d/MYRADIUS (or whatever service name you choose). That file would have only authenticate for pam_ldap, which of course is configured for AD. It is probably simply: Code:
auth required pam_ldap.so I've done this several times, with several services like OAUTH, Yubikey, Safeword, LDAP, where radius is using pam and calling the pam module of the service. Then the radius servers serves the clients (like linux boxes) using pam_radius, which is even easier to use or networking boxes that talk radius, or wifi controllers. Its a little more complicated when you have multiple ways to auth, like AD and if that fails use Yubikey. But the pam modules have ways to pass the "password" down through the stack to the next auth method (there must be a way to do this in radius, because you can define multiple auth methods). The reason this works is that how to do AD to pam is well understood, and radius to PAM/auth is well understood so it just puts the two together to get a solution, AD to radius. |
Thanks for the answer
my task To fasten to LDAP RADIUS and through ntlm_auth to do password check. RADIUS must respond to the EAP-PEAP standard with a tls tunnel, on self-signed certificates. |
|
The first part, if you use pam auth in radius, you can call either ntlm or ldap auth, it just matters what you have in your pam file.
The second, I've done EAP/TLS return but sure it is similar in freeradius. |
I do a check on ntlm_auth - it works
but I don't understand how to do LDAP authorization who can describe the process |
Authorization or Authentication? These are 2 distinct things, I was talking authentication. I don't know a mapping between AD and linux for authorization, it might exist but I never done it.
|
check out links below might help or give you some idea:
https://www.golinuxcloud.com/integra...ive-directory/ https://wiki.freeradius.org/guide/fr...egration-howto Goodluck! |
who can show examples of the LDAP file in RADIUS for working with AD
|
All times are GMT -5. The time now is 11:52 AM. |