Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Mon May 10 16:14:44 CEST 2021 

...and finally, it works, with these ldap settings:
ldap {
 identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
 password = '...'
base_dn = 'cn=Users,dc=ad,dc=ourdomain,dc=hu'
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
group {
membership_attribute = 'memberOf'
}
tls {
start_tls = yes
require_cert    = 'allow'
}
I noticed that in the user object there is memberOf attribute, but in the
group object the attribute name is member... I also had to modify the
filter, because in AD the attribute name is samaccountname instead of uid
(yes, the configuration file mentions it).
Thanks for everyone for the help and for the patience :)

Thanks,
Tamás.

Alan DeKok <aland at deployingradius.com> ezt írta (időpont: 2021. máj. 7., P,
13:46):

> On May 7, 2021, at 7:34 AM, Pisch Tamás <pischta at gmail.com> wrote:
> >
> > Thanks for the clatification of the membership_attribute parameter. Now I
> > understand its role. I changed it to member in my configuration, but the
> > result is still the same, "Search returned no results".
>
>   Then the configuration for the FreeRADIUS LDAP module is different from
> what you're using with ldapsearch.
>
>   3.0.18 and later have *detailed* instructions for how to use the LDAP
> module configuration in ldapsearch, and vice versa.  It is just a matter of
> careful analysis, and cut & paste.
>
>   Get ldapsearch working.  Then use the instructions to copy that
> configuration to mods-available/ldap.  It is that simple.
>

In the ldap module, there is a help for ldapsearch. For the user I
substituted my parameters:
ldapsearch -D 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' -w '...'
-h 'localhost' -b 'CN=vpn,CN=Users,dc=ad,dc=ourdomain,dc=hu'
It gives the vpn user object.
For the group I should expand it:
ldapsearch -D 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' -w '...'
-h 'localhost' -b 'CN=vpn,CN=Users,dc=ad,dc=ourdomain,dc=hu'
'(&(objectClass=user)(sAMAccountName=vpn)(memberof=CN=vpnusers,cn=Users,dc=ad,dc=ourdomain,dc=hu))'
I noticed that users have memberof attribute, but in the group, users
listed in member attribute.

More information about the Freeradius-Users mailing list