radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module "ldap". radiusd.conf[586] Failed to parse "ldap" entry. ----------------------------- /etc/raddb/ldap.attrmap does exist as provided by the rpm. [root@localhost src]# ls -l /etc/raddb/ldap.attrmap -rw-r----- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick <mem.namefix@gmail.com> wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad & ad servers home for weekend study).
Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables:
SEARCHDN=<the DN of the account> SEARCHPW=<the password> BASEDN=<the DN below which all your accounts live in AD> ADHOST=<hostname of the AD controller you'll search against>
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default "radiusd.conf"
3. Find the start of the modules section:
modules { ...
Delete this line and all the following lines
4. Insert the following config:
modules { ldap { server = "$ADHOST" identity = "$SEARCHDN" password = "$SEARCHPW"
basedn = "$BASEDN" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 }
preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints
with_ascend_hack = no ascend_channels_per_line = 23
with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no }
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 }
}
instantiate { }
authorize { preprocess
ldap }
authenticate { Auth-Type LDAP { ldap } }
preacct { preprocess }
accounting { detail }
session { }
post-auth { }
pre-proxy { }
post-proxy { }
5. Start the server with -X
6. Run "radtest" to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which will check PAP requests ONLY against an AD LDAP server. I do NOT recommend you go into service with this config. Try to look at it, understand how it's doing what it's doing, *then* start again with the default FreeRadius config and make the absolute minimum changes to get back to that point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html