16 lines
1.3 KiB
Markdown
16 lines
1.3 KiB
Markdown
|
|
## Authenticating Users with LDAP
|
|
|
|
Please be aware the FreeRADIUS is an AAA server, and LDAP is a _database_. This separation of roles means that FreeRADIUS supports multiple kinds of authentication protocols such as `PAP`, `CHAP`, `MS-CHAP`, etc. An LDAP database supports only one authentication method: "bind as user". This authentication method is compatible only with PAP.
|
|
|
|
Our recommendation is to use LDAP as a database. FreeRADIUS should read the "known good" password from LDAP, and then use that information to authenticate the user. It is almost always wrong to use the LDAP "bind as user" method for authenticating users.
|
|
|
|
The only caveat to the above recommendation is Active Directory. For "security" reasons, Active Directory will not return the "known good" password to FreeRADIUS over a standard LDAP query. Therefore when Active Directory is used, the choices are:
|
|
|
|
PAP
|
|
|
|
- Use "bind as user"
|
|
|
|
[MS-CHAP::](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) Use [`ntlm`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ntlm_auth) and [`winbind`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) configuration.
|
|
|
|
Due to the limitations of Active Directory, There are unfortunately no other possible choices. |