Freeradius Auth via LDAP against Active Directory Server 2003

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 5 18:51:11 CEST 2007


On Tue, 2007-06-05 at 09:22 -0500, Ryan Kramer wrote:
> 
> Were you ever able to solve the issue of multipe OU's?   I have about
> 100 OU's that have users under them, running without a specified OU

Why can't you specify a top-level OU and use subtree searches?

>  doesn't work, and obviously once I drop into an OU it hits the users
> that live there, and no others. 

The "basedn" config item on the "ldap" module is dynamically expanded.
If you can map a username to an OU, you could use a dynamic expansion
there. But if you've got hundreds of OUs without a common ancestor and
subtree search, I'd say you've designed your LDAP directory wrong.

> 
> Ryan
> 
> 
> 
> On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
>         OK tried with 1.1.4 and yerp works great.
>         
>         radiusd -X output: http://pastebin.ca/464153
>         radiusd.conf: http://pastebin.ca/464156
>         
>         I also realised a mistake I have been making, see I want to
>         search the
>         whole active directory, hence I kept setting my basedn without
>         an ou.
>         After seeing your excellent example and auth'ing had failed I
>         stuck in 
>         an OU and tried a user from the OU and worked fine.
>         
>         So my questions is this, to auth people from multiple OU's do
>         I create
>         a new ldap module for each OU or is their a simpler way.
>         
>         Thanks Very much for your help Phil, its been a very
>         productive 
>         weekend thanks to the info you provided.
>         
>         My challenge for monday will be setting up the cisco and
>         wireless clients now :)
>         
>         On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
>         > radiusd.conf: http://pastebin.ca/464133
>         > radius -X ouput: http://pastebin.ca/464138
>         >
>         > Tried with 1.1.6 and fails with this error:
>         >
>         > rlm_ldap: reading ldap<->radius mappings from
>         file /etc/raddb/ldap.attrmap
>         > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
>         > rlm_ldap: Reading dictionary mappings from
>         file /etc/raddb/ldap.attrmap failed 
>         > radiusd.conf[540]: ldap: Module instantiation failed.
>         > radiusd.conf[586] Unknown module "ldap".
>         > radiusd.conf[586] Failed to parse "ldap" entry.
>         > ----------------------------- 
>         > /etc/raddb/ldap.attrmap does exist as provided by the rpm.
>         >
>         > [root at localhost src]# ls -l /etc/raddb/ldap.attrmap
>         > -rw-r----- 1 root root 2424 Apr 19
>         16:32 /etc/raddb/ldap.attrmap
>         >
>         > I assume the permissions are correct, as it was installed by
>         rpm. Im 
>         > building the 1.1.4 rpm now, will report back once done.
>         >
>         > On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
>         > > Thanks for the very detailed instructions. 
>         > >
>         > > I will attempt this shortly (bought rad & ad servers home
>         for weekend study).
>         > >
>         > > Quite possible the biggest learning curve for me is the
>         ldap fields
>         > > but I am finally starting to get familar with them. 
>         > >
>         > > Cheers again, will post back once Ive run the radtest.
>         > >
>         > > On 4/28/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>         > > > I haven't been following your (quite extensive) queries,
>         so apologies if 
>         > > > I've missed something fundamental.
>         > > >
>         > > > I honestly don't know why this is proving so difficult.
>         I've just tested
>         > > > this against our own 2k3 AD service, and although I'm
>         pretty familiar 
>         > > > with FR it took under 5 minutes. Try following the
>         instructions below.
>         > > > These were tested with FreeRadius 1.1.4
>         > > >
>         > > > 1. First, create or locate an existing account which
>         FreeRadius can bind 
>         > > > and do it's searches as. Record the following variables:
>         > > >
>         > > > SEARCHDN=<the DN of the account>
>         > > > SEARCHPW=<the password>
>         > > > BASEDN=<the DN below which all your accounts live in
>         AD> 
>         > > > ADHOST=<hostname of the AD controller you'll search
>         against>
>         > > >
>         > > > For example, these might be:
>         > > >
>         > > > SEARCHDN=CN=freeradius,OU=Users,OU=My
>         Site,DC=mysite,DC=com 
>         > > > SEARCHPW=blahblah
>         > > > BASEDN=OU=My Site,DC=mysite,DC=com
>         > > >
>         > > > 2. Next, take the default "radiusd.conf"
>         > > >
>         > > > 3. Find the start of the modules section: 
>         > > >
>         > > > modules {
>         > > >   ...
>         > > >
>         > > > Delete this line and all the following lines
>         > > >
>         > > > 4. Insert the following config:
>         > > >
>         > > > modules {
>         > > >    ldap {
>         > > >      server = "$ADHOST"
>         > > >      identity = "$SEARCHDN"
>         > > >      password = "$SEARCHPW" 
>         > > >
>         > > >      basedn = "$BASEDN"
>         > > >      filter = "(sAMAccountName=
>         %{Stripped-User-Name:-%{User-Name}})"
>         > > >
>         > > >      dictionary_mapping = ${raddbdir}/ldap.attrmap 
>         > > >
>         > > >      ldap_connections_number = 5
>         > > >      timeout = 4
>         > > >      timelimit = 3
>         > > >      net_timeout = 1
>         > > >    }
>         > > > 
>         > > >    preprocess {
>         > > >      huntgroups = ${confdir}/huntgroups
>         > > >      hints = ${confdir}/hints
>         > > >
>         > > >      with_ascend_hack = no
>         > > >      ascend_channels_per_line = 23 
>         > > >
>         > > >      with_ntdomain_hack = no
>         > > >      with_specialix_jetstream_hack = no
>         > > >      with_cisco_vsa_hack = no
>         > > >    }
>         > > >
>         > > >    detail { 
>         > > >      detailfile =
>         ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>         > > >      detailperm = 0644
>         > > >    }
>         > > >
>         > > > }
>         > > >
>         > > > instantiate { 
>         > > > }
>         > > >
>         > > > authorize {
>         > > >    preprocess
>         > > >
>         > > >    ldap
>         > > > }
>         > > >
>         > > > authenticate {
>         > > >    Auth-Type LDAP { 
>         > > >      ldap
>         > > >    }
>         > > > }
>         > > >
>         > > >
>         > > > preacct {
>         > > >    preprocess
>         > > > }
>         > > >
>         > > > accounting { 
>         > > >    detail
>         > > > }
>         > > >
>         > > >
>         > > > session {
>         > > > }
>         > > >
>         > > > post-auth {
>         > > > }
>         > > >
>         > > > pre-proxy {
>         > > > }
>         > > >
>         > > > post-proxy {
>         > > > }
>         > > >
>         > > > 5. Start the server with -X
>         > > >
>         > > > 6. Run "radtest" to send a checking PAP request 
>         > > >
>         > > > It should work.
>         > > >
>         > > > The above config is the ABSOLUTE BARE MINIMUM server
>         config which will
>         > > > check PAP requests ONLY against an AD LDAP server. I do
>         NOT recommend 
>         > > > you go into service with this config. Try to look at it,
>         understand how
>         > > > it's doing what it's doing, *then* start again with the
>         default
>         > > > FreeRadius config and make the absolute minimum changes
>         to get back to 
>         > > > that point.
>         > > > -
>         > > > List info/subscribe/unsubscribe? See
>         http://www.freeradius.org/list/users.html
>         > > > 
>         > >
>         >
>         -
>         List info/subscribe/unsubscribe? See
>         http://www.freeradius.org/list/users.html
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list