LDAP Group Against AD Issue
Alan DeKok
aland at deployingradius.com
Mon Mar 21 16:58:16 CET 2016
On Mar 21, 2016, at 10:39 AM, Matt Brennan <brennanma at gmail.com> wrote:
> I am attempting to setup FreeRADIUS 3.0.11 against a single Active
> Directory. I am also trying to use AD via LDAP to check group membership
> for authorization. The authentication (via MSCHAPv2) is working fine, but I
> am having issues with group memberships.
>
> If the user manually authenticates with their sAMAccoutnName (i.e.
> systest) everything works as expected. However, when automatic
> authentication is done by windows, the username is sent in the
> domain\username pattern, and my LDAP group checks fail. I end up trying to
> search AD for "DOMAIN\5c5c\5c5csystest" which doesn't work:
That's a fun Windows problem.
If the sAMAccoutnName is the "name" portion of the DOMAIN\name blob, you can put this in proxy.conf:
realm applause {
}
And uncomment the "ntdomain" entry in raddb/sites-enabled/default, in the "authorize" section. Also, read the comments there.
The "ntdomain" module will see "applause\systest", and create a Stripped-User-Name of "sestets". The LDAP module will then use that Stripped-User-Name in order to do group checks.
Alan DeKok.
More information about the Freeradius-Users
mailing list