Hi Jose Am 28.04.2016 um 21:16 schrieb Jose via Freeradius-Users:
We currently have an OpenLDAP server where we have users in various OUs.We also have Active Directory with our students and staff in different OUs. How do we configure radius to authenticate with a particular OU instead of everything?For example, only have it authenticate with OU=students. Thanks.
I'm only focusing on AD for authorization, if you want to have both OpenLDAP and AD as (alternate) authentication/authorization source you'll have to make things a bit different (i.e. more mingling with unlang(5) ), that aside: The link you sent only shows AD authentication. Since AD doesn't allow reading the password directly is why you need Samba/winbind to validate credentials.* (also look in the FreeRADIUS wiki) However your AD can be accessed for authorization like (almost?) any other LDAP directrory server using the rlm_ldap module. Consider reading the wiki page on the LDAP module rlm_ldap**, its manpage as well as the default config file of rlm_ldap. It contains useful comments. I can only recommend using 3.0 if you didn't already started with that version. rlm_ldap in 3.0.x has become easier to configure than in it used to be with 2.0.x. You'll have to configure rlm_ldap to connect to your AD servers including the attribute values that AD uses (like uid vs. sAMAccountName) and make sure the ldap module is enabled in your config. When done you can add checks in the post-auth section of inner-tunnel (if using PEAP-MSCHAPv2) similar to the examples in the FR wiki. You'll definitely want to read the unlang(5) manpage in order to do other things like matching the OU which is part of the distinguishedName attribute in AD. Hope that gives you some ideas to look further. -- Mathieu *See: http://deployingradius.com/documents/protocols/oracles.html ** http://wiki.freeradius.org/modules/Rlm_ldap