-----Original Message----- From: freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Michael Holstein Sent: Friday, September 09, 2011 10:30 AM To: FreeRadius users mailing list Subject: Re: LDAP Authentication bind as user issue
This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route.
If anyone has suggestions or comments they would be greatly appreciated.
How I did it (assuming your using AD as the backend) .. is just create a user account to bind with to do the search (to locate the DN). It does not need to be an admin user, unless you have torqued down the permissions inside AD. This allows bind as the defined user (to search for the DN of the striped-user-name) and then rebind as that DN. ldap { server = "mydc.foocorp.com" identity = "CN=LDAP Account,OU=whatever,OU=Domain Users,DC=foocorp,DC=com" password = imnotgoingtotellyou basedn = "dc=foocorp,dc=com" filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Na me}}))" .. } Cheers, Michael Holstein Cleveland State University - Michael, Would this work if my AD users were in different OU's? I have my users broken out into respective location and department OU's. Such as user FOO is in both an OU of KY-Sales AND an OU of KY. They are not under the normal 'users' area. Thanks, Scott