-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Dusty Doris Sent: November 30, 2005 7:16 AM To: FreeRadius users mailing list Subject: RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
Radiusd.conf:
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(membe rOf=CN=rp
tp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory.
I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit.
1) Do I need groupname_attribute to get this to work?
2) What about groupmembership_filter and groupmembership_attribute?
My ldap.attrmap looks like this:
replyItem Class groupofnames replyItem Class group
I think the above is correct. Can some shed some light on this?
Is group and groupofnames something that is an attribute of a user? When freeradius searches for reply items it is searching for attributes of that user.
eg:
dn: cn=someuser,... group: somegroup
Should then add
Class = somegroup
to the reply items.
If you want to make reply items attached to a group, rather than in individual, you will need to set the User-Profile attribute.
For example,
dn: cn=somegroup,ou=groups,... group: somegroup
Then in the users file.
DEFAULT Ldap-Group == somegroup, User-Profile := "cn=somegroup,ou=groups,..."
You may be able to do this dynamically using xlat or something like huntgroups too. If you want an example, send us an example of a user and group from AD in ldif format and an example of a radius packet that you would expect in the reply and I'll see if I can come up with an idea for ya.
I'm still waiting for some help with this.....I have sent all the information that you requested. I have gotten it to return the group name but it is also returning the username as well and the username is returned after the group name. Is there is way to return just the groupname? I really would like to resolve this issue ones and for all. I'm really surprised that there are not folks on the list who have Active Directory users that they want to use to lock VPN users into groups on the VPN Concentrator. If really there isn't, I would put a howto on this when I get it working and post it on the list. Here is my latest output: rlm_ldap: performing search in CN=itops,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave, with filter (cn=itops) rlm_ldap::ldap_groupcmp: User found in group itops rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 163 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(&(sAMAccountName=apuye)(objectclass=user))' radius_xlat: 'DC=corp,DC=van,DC=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter (&(sAMAccountName=apuye)(objectclass=user)) rlm_ldap: performing search in CN=itops,ou=Information Technology,ou=Datawave Users,dc=corp,dc=van,dc=dwave, with filter (objectclass=group) rlm_ldap: Adding samaccountname as Class, value itops & op=11 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding samaccountname as Class, value apuye & op=11 rlm_ldap: user apuye authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "apuye" with password "XXXXXXXXXXX" rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 1 rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave/XXXXXXXXXX to huckster.corp.van.dwave:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user apuye authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 4 to 10.99.1.50:1031 Class = 0x6170757965 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 4 with timestamp 438e98b2 Nothing to do. Sleeping until we see a request. Thanks, Alhagie.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request.