Config. Help please - ldap and Active Directory

Nicolas Goutte nicolas.goutte at extragroup.de
Fri Mar 6 12:58:56 CET 2009


Am 06.03.2009 um 12:20 schrieb Leighton Man:

> Hi,
> I'm new to freeradius (3 weeks experience) and mailing lists  
> (second attempt) so please have patience.
> I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured  
> to authenticate against Active Directory using ntlm-auth.
> All working OK.
> Now I'm trying to return different reply attributes depending on  
> Active Directory group membership and restrict which groups can  
> authenticate. Ldap lookups against the active directory root fail  
> with operation error. Reconfiguring Active Directory is not a  
> viable option so I have to specify an OU=xxxx in the query. I have  
> configured two instances of the ldap module for authorisation, one  
> to query the staff ou and the other to query the student ou. Both  
> work OK for valid queries but if the user does not exist in the ou  
> the server still authenticates the username/password and grants  
> access if valid. Relevant debug output:
>
> rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,  
> dc=uk, with filter (sAMAccountName=stafftest)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap_student" returns notfound for  
> request 8
> modcall: leaving group student (returns notfound) for request 8
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
>   rlm_eap: Request found, released from the list
>
> ...............................
>
>  rlm_eap_peap: Tunneled data is valid.
>   rlm_eap_peap: Success
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 8
> modcall: leaving group authenticate (returns ok) for request 8
> Sending Access-Accept of id 104 to 10.127.240.217 port 1645
>
> Relevant bits of radiusd.conf:
>
>         ldap ldap_student{
>                 server = "server.hud.ac.uk"
>                 identity =  
> "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"

>                 password = secret
>

Try using := instead of = or == You have to assign the password, not  
compare to it. Also perhaps you should use Cleartext-Password if the  
password is in clear here.


>                 port = 636
>                 basedn =         "ou=students, dc=ad, dc=hud,  
> dc=ac, dc=uk"
>                 filter = "(sAMAccountName=%{mschap:User-Name:-% 
> {User-Name}})"
>                 start_tls = no
>
>                access_attr = "dialupAccess"
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 ldap_connections_number = 5
>                  groupname_attribute = cn
>                  groupmembership_filter = "(|(& 
> (objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(& 
> (objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>                  groupmembership_attribute = radiusGroupName
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>         }
>
> ........................................
>
> instantiate {
>         exec
>         expr
>                 ldap_staff
>                 ldap_student
> }
>
> authorize {
>         preprocess
>         mschap
>         suffix
>         eap
>         Autz-Type staff{
>                 ldap_staff
>         }
>         Autz-Type student{
>                 ldap_student
>         }
>         files
> }
>
> authenticate {
>         Auth-Type MS-CHAP {
>                 mschap
>         }
>         eap
> }
>
> I want to reject the user if they are not in the relevant ou. I  
> must be missing something obvious. Can anyone help please?
>
> Thanks in advance,
> Leighton
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841







More information about the Freeradius-Users mailing list