<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Nachricht</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>Yohoo!</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>Yes! I did it!
;)</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>My freeradius
(1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server).
Without ntlm_auth! </FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>Below I have added a
short summary how I realized it here.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>But now I have a
question and I can't solve it for myself. I want to retreive some group
informations from AD. In an users account I find several values "memberOf" and
the DN of the group, where the user belong to.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>Now I want to give
access via freeradius only to some special groups.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>I have figuered out,
that there are these parameters: </FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>groupname_attribute,
groupmembership_filter and groupmembership_attribute</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>combined with some
entries in the users-file.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>I've read the
doc/rlm_ldap, but I didn't find any deeper hints or
explanation.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>Questions:</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>1. Where can I find
some docs about the %{...} Values in groupmebership_filter? Which one should I
use in combination with my AD?</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>2. Which value
should I use then in the users-file?</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>3. Is there anyone
who can give a little help in further authenticating with
group?</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>-------------short
summary how to authenticate vs. ActiveDirectory
-----------------------</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>/etc/raddb/radiusd.conf</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>[...]</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2> ldap
{<BR>
#servername with an AD-Server running Win2003Srv</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>
server = "adsrv.qsc.de"</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2> #The Useraccount for
querying AD (anonymous query is
disabled)<BR>
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2> #The
password for the
Query-User<BR>
password = 'xxxxxx'</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2> #base
DN for user search; all our Users are in ou=employees. Without this
"ou=...", no user will be found. \</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>
#</FONT></SPAN><SPAN class=165430210-14112005><FONT face=Arial size=2>I don't
understand
why<BR>
basedn = "ou=employees,dc=qsc,dc=de"</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2> #
I've copied the below string, because I didn't understand the meanings of the
%{...}<BR>
filter =
"(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"<BR>
# I had to increase the timeouts</FONT></SPAN></DIV>
<DIV><SPAN
class=165430210-14112005>
timeout =
40<BR>
timelimit =
30<BR>
net_timeout = 10</SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005> <FONT face=Arial
size=2>}</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>The users-file left
on default, no changes.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>I hope, I could help
some people trying to use AD for radius.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>And, I hope, someone
will help me with my user-problem.</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2>Greets
</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2>Christian</FONT></SPAN></DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial size=2></FONT> </DIV>
<DIV><BR>
</SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=165430210-14112005><FONT face=Arial
size=2></FONT></SPAN> </DIV></BODY></HTML>