Once again FR "just works". :-) I decided to try LDAP for my clear text PAP authentication against an Active Directory (so I can get rid of PAM/winbind). Having read so many horror stories from people trying to do this, I expected it to be problematic. It took exactly 5 minutes to get it working. So I thought I'd share the details for anyone else googling around for this topic. There's lots of stuff about Windows AD using ntlm_auth for MS-CHAP out there, but very little about clear text using LDAP (that I could find). The only changes from the out-of-box config I needed to get it working were: modules { ... ldap { ... server = somehost.somedomain.com identity = " CN=someuser,CN=Users,DC=somedomain,DC=com " password = somepassword basedn = "CN=Users,DC=somedomain,DC=com" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=people)" ... } ... } authorize { ... ldap ... } authenticate { ... ldap ... } Notes: The 'ldap' must appear in the authorize and authenticate sections somewhere BEFORE 'pap'. Windows AD uses 'sAMAccountName' instead of 'uid' in the filter. You have to provide a valid identity and password, it won't work with anonymous binding. The filter spec above is in FR 2.x format, in 1.x you need to strip one set of %{} out thusly: filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" I'll no doubt ratchet the basedn down to a more specific domain group and play with the user and group profile stuff now I have it working, but those changes got me going. -- hugh
participants (1)
-
Hugh Messenger