[RADIATOR] LDAP forwarding to two Active Directory Servers

Heikki Vatiainen hvn at open.com.au
Wed May 7 16:18:49 CDT 2014


On 05/07/2014 07:46 PM, CLAdirect - Sergei Kortscheff wrote:

> A hotspot service uses forms authentication to validate users against an
> Active Directory server, using LDAP port 389, so far so good.
> 
> The problem begins when we require to authenticate against two active
> directory servers on two separate domains, since the WiFi solution only
> allows to associate one single server to authenticate maybe I could use
> radiator as a proxy to relay all LDAP data to both Active Directory servers.
> 
> Can something like this be done? 

Maybe something like this would work:

<Handler>
  AuthByPolicy ContinueUntilAccept
  <AuthBy LDAP2>
      # Settings for AD 1
  </AuthBy>
  <AuthBy LDAP2>
      # Settings for AD 2
  </AuthBy>
</Handler>

The above would try AD 1 first and if it does not accept the attempt
(password is wrong, the AD itself is unreachable, anything else), then
AD 2 would be tried.

Note: this works for plain password based authentication (PAP) where no
Access-Challenges are needed.

There are other possible AuthByPolicies too. Please see the reference
manual for the details.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list