On Aug 16, 2017, at 4:05 PM, Adam Cage <adamcage27@gmail.com> wrote:
Dear Alan and people, I'm near the solution of my problem but I'm still having a problem.
Following the Alan Dekok tutorial about Authentication with Active Directory with ntlm_auth and mschap, everything work OK. In this case, I have no LDAP support at all, no authorization, just authentication.
That's fine. The guide deals with one issue at a time. If you can get AD authentication working, then adding LDAP authorization is about 10 minutes.
But the problem comes when I setup the LDAP support to Authorization when checking if user is or not in a given group with the Ldap-Group attribute.
Put those checks into the virtual server, not in the "users" file. What LDAP group checks are you doing? This kind of thing will work: authorize { ... if (LDAP-Group != admins) { reject } ... }
As I said previously, after configured ldap module and /etc/sites-available/default and inner-tunnel with LDAP for authorization,
To do *what*? Be specific. In most case, if you can write the requirements down in simple English, you can translate those to "unlang" policy rules pretty directly.
--nt-response=0fc92070b60d3a3a33846bee2708298a4f1b18c9b70e4f38 Wed Aug 16 10:51:56 2017 : Debug: *Exec output: No trusted SAM account * (0xc000018b) Wed Aug 16 10:51:56 2017 : Debug: *Exec plaintext: No trusted SAM account* (0xc000018b)
That's an error produced by AD, not FreeRADIUS.
Can you tell me why mschap auth is ok without LDAP support and it's wrong with LDAP support???
Since you didn't say what you did for LDAP authorization, I have no idea what's going wrong. But from the error message above, it *is* clear that the user isn't allowed to use AD authentication. That is an issue entirely separate from LDAP authorization. Alan DeKok.