Freeradius Auth via LDAP against Active Directory Server 2003

Sun Apr 29 08:20:08 CEST 2007

Thanks for the very detailed instructions.

I will attempt this shortly (bought rad & ad servers home for weekend study).

Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.

Cheers again, will post back once Ive run the radtest.

On 4/28/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> I haven't been following your (quite extensive) queries, so apologies if
> I've missed something fundamental.
>
> I honestly don't know why this is proving so difficult. I've just tested
> this against our own 2k3 AD service, and although I'm pretty familiar
> with FR it took under 5 minutes. Try following the instructions below.
> These were tested with FreeRadius 1.1.4
>
> 1. First, create or locate an existing account which FreeRadius can bind
> and do it's searches as. Record the following variables:
>
> SEARCHDN=<the DN of the account>
> SEARCHPW=<the password>
> BASEDN=<the DN below which all your accounts live in AD>
> ADHOST=<hostname of the AD controller you'll search against>
>
> For example, these might be:
>
> SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
> SEARCHPW=blahblah
> BASEDN=OU=My Site,DC=mysite,DC=com
>
> 2. Next, take the default "radiusd.conf"
>
> 3. Find the start of the modules section:
>
> modules {
>   ...
>
> Delete this line and all the following lines
>
> 4. Insert the following config:
>
> modules {
>    ldap {
>      server = "$ADHOST"
>      identity = "$SEARCHDN"
>      password = "$SEARCHPW"
>
>      basedn = "$BASEDN"
>      filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
>
>      dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>      ldap_connections_number = 5
>      timeout = 4
>      timelimit = 3
>      net_timeout = 1
>    }
>
>    preprocess {
>      huntgroups = ${confdir}/huntgroups
>      hints = ${confdir}/hints
>
>      with_ascend_hack = no
>      ascend_channels_per_line = 23
>
>      with_ntdomain_hack = no
>      with_specialix_jetstream_hack = no
>      with_cisco_vsa_hack = no
>    }
>
>    detail {
>      detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>      detailperm = 0644
>    }
>
> }
>
> instantiate {
> }
>
> authorize {
>    preprocess
>
>    ldap
> }
>
> authenticate {
>    Auth-Type LDAP {
>      ldap
>    }
> }
>
>
> preacct {
>    preprocess
> }
>
> accounting {
>    detail
> }
>
>
> session {
> }
>
> post-auth {
> }
>
> pre-proxy {
> }
>
> post-proxy {
> }
>
> 5. Start the server with -X
>
> 6. Run "radtest" to send a checking PAP request
>
> It should work.
>
> The above config is the ABSOLUTE BARE MINIMUM server config which will
> check PAP requests ONLY against an AD LDAP server. I do NOT recommend
> you go into service with this config. Try to look at it, understand how
> it's doing what it's doing, *then* start again with the default
> FreeRadius config and make the absolute minimum changes to get back to
> that point.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>