<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
<TITLE>Nachricht</TITLE>
</HEAD>
<BODY LINK="#0000ff">
Le lun 14/11/2005 à 12:13, freeradius-users-request@lists.freeradius.org a écrit :
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#737373"><I>Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
</FONT><A HREF="http://lists.freeradius.org/mailman/listinfo/freeradius-users"><U>http://lists.freeradius.org/mailman/listinfo/freeradius-users</U></A>
<FONT COLOR="#737373">or, via email, send a message with subject or body 'help' to
freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."</PRE>
<HR>
<PRE>Today's Topics:
1. RE: Freeradius vs. ActiveDirectory (Jonathan De Graeve)
2. Re: Freeradius vs. ActiveDirectory (A.L.M.Buxey@lboro.ac.uk)
3. AW: Freeradius vs. ActiveDirectory (V?lker)
4. RE: Failed attempts log (Thierry Hoferlin)
5. AW: Freeradius vs. ActiveDirectory (V?lker)</PRE>
<HR>
<BR>
<B>From:</B> Jonathan De Graeve <Jonathan.De.Graeve@imelda.be><BR>
<B>To:</B> FreeRadius users mailing list <freeradius-users@lists.freeradius.org><BR>
<B>Subject:</B> RE: Freeradius vs. ActiveDirectory<BR>
<B>Date:</B> Mon, 14 Nov 2005 11:36:45 +0100<BR>
<BR>
<BR>
</FONT><BR>
<FONT COLOR="#000080" SIZE="2">What about the password?</FONT><BR>
<FONT COLOR="#737373"></FONT><BR>
<FONT COLOR="#000080" SIZE="2"> </FONT><BR>
<FONT COLOR="#737373"></FONT><BR>
<FONT COLOR="#000080" SIZE="2">I thought this was a kerberos one and didn’t reside into the ldap itself?</FONT><BR>
<FONT COLOR="#737373"></FONT><BR>
<FONT COLOR="#000080" SIZE="2"> </FONT><BR>
<FONT COLOR="#737373"></FONT><BR>
<FONT COLOR="#000080" SIZE="2">--<BR>
Jonathan De Graeve<BR>
Network/System Administrator<BR>
Imelda vzw<BR>
Informatica Dienst<BR>
015/50.52.98<BR>
jonathan.de.graeve@imelda.be<BR>
<BR>
---------<BR>
Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite<BR>
---------</FONT><BR>
<FONT COLOR="#737373"><BR>
<BR>
<DIV ALIGN=center>
<HR>
</DIV><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"><B>Van:</B>freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] <B>Namens </B>Völker, Christian<BR>
<B>Verzonden:</B> maandag 14 november 2005 11:22<BR>
<B>Aan:</B> freeradius-users@lists.freeradius.org<BR>
<B>Onderwerp:</B> Freeradius vs. ActiveDirectory</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"></FONT><BR>
<FONT COLOR="#737373" SIZE="2">Yohoo!</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Yes! I did it! ;)</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth! </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Below I have added a short summary how I realized it here.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Now I want to give access via freeradius only to some special groups.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">I have figuered out, that there are these parameters: </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">groupname_attribute, groupmembership_filter and groupmembership_attribute</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">combined with some entries in the users-file.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Questions:</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">2. Which value should I use then in the users-file?</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">3. Is there anyone who can give a little help in further authenticating with group?</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">-------------short summary how to authenticate vs. ActiveDirectory -----------------------</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">/etc/raddb/radiusd.conf</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">[...]</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> ldap {<BR>
#servername with an AD-Server running Win2003Srv</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> server = "adsrv.qsc.de"</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> #The Useraccount for querying AD (anonymous query is disabled)<BR>
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> #The password for the Query-User<BR>
password = 'xxxxxx'</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> #base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> #I don't understand why<BR>
basedn = "ou=employees,dc=qsc,dc=de"</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2"> # I've copied the below string, because I didn't understand the meanings of the %{...}<BR>
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"<BR>
# I had to increase the timeouts</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> timeout = 40<BR>
timelimit = 30<BR>
net_timeout = 10</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><FONT COLOR="#737373" SIZE="2">}</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">The users-file left on default, no changes.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">I hope, I could help some people trying to use AD for radius.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">And, I hope, someone will help me with my user-problem.</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Greets </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="2">Christian</FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
</FONT><BR>
<FONT COLOR="#737373" SIZE="3"> </FONT><BR>
<FONT COLOR="#737373"><BR>
<BR>
<HR>
<PRE><B>From:</B> A.L.M.Buxey@lboro.ac.uk
<B>To:</B> FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
<B>Subject:</B> Re: Freeradius vs. ActiveDirectory
<B>Date:</B> Mon, 14 Nov 2005 10:42:07 +0000
Hi,
> I hope, I could help some people trying to use AD for radius.
there is another way - use the krb module to authenticate against AD
alan
</PRE>
<HR>
<PRE><B>From:</B> "Völker, Christian" <Christian.Voelker@qsc.de>
<B>To:</B> FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
<B>Subject:</B> AW: Freeradius vs. ActiveDirectory
<B>Date:</B> Mon, 14 Nov 2005 11:50:10 +0100
Yohoo!
> What about the password?
Which password? The User-Password? Or the shared secret?
The Password for the Proxy-User is written down in the radiusd.conf.
> I thought this was a kerberos one and didn't reside into the ldap itself?
Kerberos ist installed, but I don't use it (I think so! ;-))
Greets
Christian
</PRE>
<HR>
<PRE><B>From:</B> Thierry Hoferlin <thierry.hoferlin@staff.cybernet.be>
<B>To:</B> FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
<B>Subject:</B> RE: Failed attempts log
<B>Date:</B> Mon, 14 Nov 2005 11:50:39 +0100
Thanks Nicolas,
It works fine.
Just for info, the attributes to use in the mssql.conf file are
"postauth_table" and "postauth_query"
With the following radius configuration :
post-auth {
Post-Auth-Type REJECT {
sql
}
}
Regards,
Thierry.
>Thierry Hoferlin wrote:
>
>> I've configured a freeradius 1.0.5 with MSSQL authentification.
>> It works fine.
>>
>> Is there a way to log failed authentification records to SQL ?
>
>Please don't post HTML on the list.
>
>Search the archives for detailed instructions, but the general idea is
to use the module "sql" in section "post-auth".
>
></FONT><A HREF="http://freeradius.org/radiusd/doc/Post-Auth-Type"><U>http://freeradius.org/radiusd/doc/Post-Auth-Type</U></A>
<FONT COLOR="#737373">>
>--
>Nicolas Baradakis
>
>-
>List info/subscribe/unsubscribe? See</FONT>
<A HREF="http://www.freeradius.org/list/users.html"><U>http://www.freeradius.org/list/users.html</U></A>
<FONT COLOR="#737373">
</PRE>
<HR>
<PRE><B>From:</B> "Völker, Christian" <Christian.Voelker@qsc.de>
<B>To:</B> FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
<B>Subject:</B> AW: Freeradius vs. ActiveDirectory
<B>Date:</B> Mon, 14 Nov 2005 11:51:26 +0100
Yohoo!
>> I hope, I could help some people trying to use AD for radius.
>there is another way - use the krb module to authenticate against AD
Are there any advantages/ disadvantages ldap <-> krb5?
</PRE>
<HR>
<PRE>-
List info/subscribe/unsubscribe? See </FONT><A HREF="http://www.freeradius.org/list/users.html"><U>http://www.freeradius.org/list/users.html</U></I></A></PRE>
</BLOCKQUOTE>
<PRE><TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
Hello.<BR>
<BR>
I made a Freeradius 1.04 working configuration to authenticate users using krb5. It works without any problem and If you look to Microsoft Documentation, you will see that it recommands using krb5 for Alien(Unix...)/Microsoft cross authentication. <BR>
<BR>
When using Ldap you must "translate" standards attributes into microsoft ones without many warranties that it will keep working on the next patch.I know microsoft wants to make its AD more compatible to standards but for the moment I still wait and see.<BR>
<BR>
In the other hand, LDAP is a much more powerful protocol that do not only deal with authentication while kerberos 's only goal is authentication. Maybe powerful users may use LDAP powerfullness through Radius. I do not and I'm not able to help you in that way.<BR>
<BR>
If someone is interrested in using Radius<->krb5<->AD, I may (I have a very poor english and I'm not a radius "hacker") help him.<BR>
<BR>
Just post at this mailing list that you are interested in it and I will answer as soon as I can.<BR>
<BR>
Bye.<BR>
<BR>
Stephane
</TD>
</TR>
</TABLE>
</PRE>
</BODY>
</HTML>