Config. Help please - ldap and Active Directory

tnt at kalik.net tnt at kalik.net
Fri Mar 6 13:16:07 CET 2009


>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid.

You need to upgrade to 2.x and use unlang. See man unlang on freeradius
site. You need something like:

if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else}
else update control { to reject }

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list