Freeradius, Active Directory and User's Group

Peter Lambrechtsen plambrechtsen at gmail.com
Tue Mar 30 06:12:22 CEST 2010


The best way is to follow what I suggested in this post.

http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html

We authenticate a group of 5620's and 7210's in our environment too using
that exact same method.

Now that the Timetra (now Lucent) Dictionary is in 2.1.8 thanks to me
(shameless plug) it should be easy.

Any questions you can send them to me off-list if you need more help.

On Tue, Mar 30, 2010 at 10:12 AM, Gary Gatten <Ggatten at waddell.com> wrote:

> Yup - that's what I was talking about.
>
> You can use variables, but if you need to enumerate a users group
> memberships - then yea you'll need LDAP.
>
> G
>
>
> -----Original Message-----
> From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org[mailto:
> freeradius-users-bounces+ggatten <freeradius-users-bounces%2Bggatten>=
> waddell.com at lists.freeradius.org] On Behalf Of Lincoln Zuljewic Silva
> Sent: Monday, March 29, 2010 4:08 PM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius, Active Directory and User's Group
>
> Gary
>
> Are you talking about the "--require-membership-of" parameter of ntlm_auth?
>
> If yes, I can't use it because is a "randon" situation.
>
> The Alcatel software has a list of all groups that can login and their
> appropriate permissions. The freeradius has to see what are the user
> groups that the user are member of and reply it to Alcatel software.
>
> John,
>
> I will check out this "reply attribute" and see if it works for me...
>
> Regards
> Lincoln
>
> On Mon, Mar 29, 2010 at 5:53 PM, Gary Gatten <Ggatten at waddell.com> wrote:
> > FWIW, I do group checking with SAMBA.  I'm not in front of my system, but
> there's an arg one can pass to the Samba util exe where it will validate
> uname, password, and group membership.  This should work for most "simple"
> confs, although I can certainly envision situations where LDAP may be
> required.
> >
> > ----- Original Message -----
> > From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org<freeradius-users-bounces+ggatten=
> waddell.com at lists.freeradius.org>
> > To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org
> >
> > Sent: Mon Mar 29 15:26:57 2010
> > Subject: Re: Freeradius, Active Directory and User's Group
> >
> > Understood, but the freeradius will be able to return this group
> > information to the Alcatel device?
> >
> > Regards
> > Lincoln
> >
> > On Mon, Mar 29, 2010 at 5:10 PM, John Dennis <jdennis at redhat.com> wrote:
> >> On 03/29/2010 04:02 PM, Lincoln Zuljewic Silva wrote:
> >>>
> >>> I'm sorry.
> >>>
> >>> I forgot to mention that I'm not using LDAP, but Samba to integrate
> >>> the freeradius with AD.
> >>
> >> O.K. I presume you're using samba for authentication, but where are you
> >> storing the information about which groups a user is in? I presume it's
> in
> >> AD. AD is an ldap server that you can query during authorization which
> is
> >> when and where you would do the group check.
> >> --
> >> John Dennis <jdennis at redhat.com>
> >>
> >> Looking to carve out IT costs?
> >> www.redhat.com/carveoutcosts/
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> >
> > --
> > Lincoln Zuljewic Silva
> > More contact info.: http://www.system.adm.br/contact.php
> >
> > "How often must a question be asked before it's considered a
> > frequently asked question?"
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> --
> Lincoln Zuljewic Silva
> More contact info.: http://www.system.adm.br/contact.php
>
> "How often must a question be asked before it's considered a
> frequently asked question?"
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100330/0515a1e9/attachment.html>


More information about the Freeradius-Users mailing list