[Date Prev][Date Next] [Chronological] [Thread] [Top]

AD, freeradius, openldap combination


I'm setting up a HA environment with centralized user administration.
I'm currently considering the following setup

For MS clients, authenticate directly to AD
For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD
For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy

The goals for the setup are:
1. One login for all networked nodes
2. Centralized user authentication
3. Single resource for user information
4. Highly available authentication service
5. No serious performance impact
6. Alternative login when service is unavailable
7. Easily scalable
8. Easy rollout

1, 2, 3 and 7 are achieved using AD
4 can be achieved by a combination of a loadbalancer for each service
and multiple instances of each service
not sure if 5 is realistic, but it should be possible I suppose
6 is no problem for any host
8 can be done through scripting

What I would like to know now is:
Is it advisable to set it up like this?
Are there 'better' ways to achieve the same result. (performance,
availability, ease of maintenance)
Would it be better to let radius talk directly to AD, possibly even
using the MS radius server.
Is it advisable to use an OpenLDAP proxy for *nix authentication or
can I just as well use AD directly.

The main reasons for me to assume this setup is the most suitable are:
AD replicates by default
OpenLDAP proxy does not need to replicate
OpenLDAP is more 'compatible' with the *nix clients
FreeRadius does not need to replicate
All can be loadbalanced easily.

The main question I want to know from the OpenLDAP list is: "how well
does the OpenLDAP proxy perform?"

For the remainder, if anyone wants to shed some light on this, I would
greatly appreciate it.

Thanks a lot in advance.


Serge Fonville


Convince Google!!
They need to support Adsense over SSL