suggestme wrote:
I have installed FreeRadius server 2.1.12, installed and configured Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication with Active Directory. Everything is successful and running smoothly till this stage. Now, I am in the phase of configuration of Authorization in FreeRadius. For Authorization process I want to use LDAP database which is already up and running in another server (not in the server where FreeRadius is installed). The authorization should be granted in such a way that some users should be allowed/restricted VPN, some should be allowed/restricted wifi, etc.......
What does that mean? i.e. HOW do you determine which users get what access? For most people, this means LDAP groups. Put users into groups, and give them permissions based on LDAP groups. You can check the groups at run time from FreeRADIUS.
I am not sure whether this is the best way to do Authorization using LDAP or not because it is first time I am trying this in FreeRadius. After changing the configuration as mentioned below and running FreeRadius in debug mode, I get successful "Ready to process requests" but while supplying user credentials I get rad_recv: *Access-Reject *packet from host 127.0.0.1 port 1812, id=60, length=20.
The debug log will tell you why the user was rejrected. Read it.
What I have done so far is:
Not post the debug log as suggested in the FAQ, README, "man" page, web site, and daily on this list.
But while following *"rlm_ldap"* doc I have seen that it is mentioned:
LDAP and Active Directory -------------------------
*You can only use PAP, and then only if you list "ldap" in the "authenticate" section.*
Does this mean I need to list ldap in authenticate section also. If I list it, what about ntlm_auth that is already enabled for authentication. I am confused with this.
Read my web page on Active Directory integration It explains this/
Should I need to install openldap & openssl also in the machine where freeradius is installed to make LDAP authorisation work properly?
No.
Please suggest me whether the configuration & process I am following related to LDAP is the good way to do or not. If not what is the best way to achieve it. Any documentation/site/thread suggestion regarding this would be greately appreciated.
My AD integration page (http://deployingradius.com) explains this in great detail. Alan DeKok.