CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250907

Browse Source
This commit is contained in:
Petar Cubela
2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
projects/gg/freeradius/20250728-FreeRADIUS-docs.md Normal file
View File

@@ -0,0 +1,16 @@
## Authenticating Users with LDAP
Please be aware the FreeRADIUS is an AAA server, and LDAP is a _database_. This separation of roles means that FreeRADIUS supports multiple kinds of authentication protocols such as `PAP`, `CHAP`, `MS-CHAP`, etc. An LDAP database supports only one authentication method: "bind as user". This authentication method is compatible only with PAP.
Our recommendation is to use LDAP as a database. FreeRADIUS should read the "known good" password from LDAP, and then use that information to authenticate the user. It is almost always wrong to use the LDAP "bind as user" method for authenticating users.
The only caveat to the above recommendation is Active Directory. For "security" reasons, Active Directory will not return the "known good" password to FreeRADIUS over a standard LDAP query. Therefore when Active Directory is used, the choices are:
PAP
- Use "bind as user"
[MS-CHAP::](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) Use [`ntlm`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ntlm_auth) and [`winbind`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) configuration.
Due to the limitations of Active Directory, There are unfortunately no other possible choices.