AD Authentication Permissions

Tyler Brady tbrady at stc-comm.com
Wed Jan 9 23:10:33 CET 2013


I think my bind is working fine now, but my basedn = "o=My Org,c=UA"  field is still wrong. I'm still not sure of the syntax. Any suggestions? 


[ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to office.company.stc:389, authentication 0
  [ldap] bind as cn=user name,ou=Phoenix_Users,dc=company,dc=stc/Sup3rS3cret to office.company.stc:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady)
  [ldap] object not found
rlm_ldap::ldap_groupcmp: search failed
  [ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for tbrady
[ldap] 	expand: %{Stripped-User-Name} -> 
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> tbrady
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=tbrady)
[ldap] 	expand: ou=Phoenix_Users,dc=company,dc=stc -> ou=Phoenix_Users,dc=company,dc=stc
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound





T. Brady



-----Original Message-----
From: freeradius-users-bounces+tbrady=stc-comm.com at lists.freeradius.org [mailto:freeradius-users-bounces+tbrady=stc-comm.com at lists.freeradius.org] On Behalf Of Mathieu Simon
Sent: Wednesday, January 09, 2013 12:53 PM
To: FreeRadius users mailing list
Subject: Re: AD Authentication Permissions

Hi Tyler

Since I'm in a similar situation with AD but still learning, just general experience with other Applications from the *nix world authenticating against AD:

Your AD admin (you?) needs to create a basic user account, no domain admin needed - who can read the parts of your AD/LDAP tree as John said.
(We maintain a couple of srv-* accounts here to quickly distinguis between real user accounts)

You'll need the value of the distinguishedName attribute on AD, your Admin can give you this value, but it's hidden by default in the GUI.*

For "server=" (don't know of recommended for FR too): You could point to your.domainname, as this is a DNS record maintained by your AD-integrated nameservers who will point to all addresses of your current DCs.

BaseDN - yeah, look up a little what it is, it's the base your FR will start looking up inside the LDAP tree.

Regards
Mathieu





More information about the Freeradius-Users mailing list