ldap/ldaps, not much difference in the config except you need to use a different port and a cert.
There is a samba way to do this (join the domain) but this is not required. AD essentially IS a ldap server, you just
have to follow its rules. Here is a link that uses pam_ldap, a 'search' account. I don't think you need nclsd for caching.
https://www.virtono.com/community/tu...-under-debian/
Once again, your config (pam) is not to login but to provide the service to radius. The linux server itself DOES NOT use it for
anything except for the pam file for the radius server. All you need is authenticate. You don't use common-auth.
The you configure radius to use pam and the service name. You enable pam and use the pam_auth directive to use the pam module file in /etc/pam.d/MYRADIUS (or whatever service name you choose). That file would have only authenticate for pam_ldap, which of course is configured for AD. It is probably simply:
Code:
auth required pam_ldap.so
I've done this several times, with several services like OAUTH, Yubikey, Safeword, LDAP, where radius is using pam and calling the pam module of the service. Then the radius servers serves the clients (like linux boxes) using pam_radius, which is even easier to use or networking boxes that talk radius, or wifi controllers. Its a little more complicated when you have multiple ways to auth, like AD and if that fails use Yubikey. But the pam modules have ways to pass the "password" down through the stack to the next auth method (there must be a way to do this in radius, because you can define multiple auth methods).
The reason this works is that how to do AD to pam is well understood, and radius to PAM/auth is well understood so it just puts the two together to get a solution, AD to radius.
the RADIUS server must use the LDAP protocol to connect to Active Directory
