Config. Help please - ldap and Active Directory

Leighton Man l.j.man at hud.ac.uk
Fri Mar 6 15:04:13 CET 2009


 
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid.

You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. You need something like:

if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else} else update control { to reject }

Ivan Kalik
Kalik Informatika ISP

Many thanks for this. I'm using 1.1.7 because it's available as a pre-built package on solaris for both sparc and x86 architectures. The idea is to get freeradius configured and working as fast as possible so it can be demo'd to management (I'm trying to retire Cisco ACS). Then to test it on x86 standard build which is being developed in parallel. Then, if all works, upgrade to latest version.
Version 2.1.3 won't compile on my solaris box and the problem looks, to me, non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a function))

Is there any way to do what I want without upgrading?

Regards,

Leighton
 




More information about the Freeradius-Users mailing list