Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator

Alhagie Puye APuye at datawave.com
Fri Dec 2 16:50:31 CET 2005


> >-----Original Message-----
> >From: freeradius-users-bounces at lists.freeradius.org 
> >[mailto:freeradius-users-bounces at lists.freeradius.org] On 
> >Behalf Of Dusty Doris
> >Sent: November 30, 2005 7:16 AM
> >To: FreeRadius users mailing list
> >Subject: RE: Freeradius How to integrate Active Directory 
> >and return group attribute to VPN Concentrator
> >
> >> Radiusd.conf:
> >>
> >>                filter =
> >> 
> >"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(membe
> >rOf=CN=rp
> >> tp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
> >>
> >> This works fine. However I can't get it to return any 
> >replyItems. Has 
> >> anyone gotten this to work with Active Directory? All the 
> >docs I see 
> >> on the Net refeerence OpenLDAP. I'm sure there is a lot of 
> >folks out 
> >> there running Windows 2000/2003 Active Directory.
> >>
> >> I have spent a couple of days on this not having much 
> >luck. Here are a 
> >> few questions that would help me a bit.
> >>
> >> 1) Do I need groupname_attribute to get this to work?
> >>
> >> 2) What about groupmembership_filter and groupmembership_attribute?
> >>
> >> My ldap.attrmap looks like this:
> >>
> >> replyItem       Class                           groupofnames
> >> replyItem       Class                           group
> >>
> >> I think the above is correct. Can some shed some light on this?
> >
> >Is group and groupofnames something that is an attribute of 
> >a user?  When freeradius searches for reply items it is 
> >searching for attributes of that user.
> >
> >eg:
> >
> >dn: cn=someuser,...
> >group: somegroup
> >
> >Should then add
> >
> >Class = somegroup
> >
> >to the reply items.
> >
> >If you want to make reply items attached to a group, rather 
> >than in individual, you will need to set the User-Profile attribute.
> >
> >For example,
> >
> >dn: cn=somegroup,ou=groups,...
> >group: somegroup
> >
> >Then in the users file.
> >
> >DEFAULT Ldap-Group == somegroup, User-Profile := 
> >"cn=somegroup,ou=groups,..."
> >
> >You may be able to do this dynamically using xlat or 
> >something like huntgroups too.  If you want an example, send 
> >us an example of a user and group from AD in ldif format and 
> >an example of a radius packet that you would expect in the 
> >reply and I'll see if I can come up with an idea for ya.

I'm still waiting for some help with this.....I have sent all the
information that you requested.
I have gotten it to return the group name but it is also returning the
username as well and the username is returned after the group name. Is
there is way to return just the groupname?
I really would like to resolve this issue ones and for all.

I'm really surprised that there are not folks on the list who have
Active Directory users that they want to use to lock VPN users into
groups on the VPN Concentrator. If really there isn't, I would put a
howto on this when I get it working and post it on the list.

Here is my latest output:

rlm_ldap: performing search in CN=itops,OU=Information
Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave, with filter
(cn=itops)
rlm_ldap::ldap_groupcmp: User found in group itops
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 163
  modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for apuye
radius_xlat:  '(&(sAMAccountName=apuye)(objectclass=user))'
radius_xlat:  'DC=corp,DC=van,DC=dwave'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter
(&(sAMAccountName=apuye)(objectclass=user))
rlm_ldap: performing search in CN=itops,ou=Information
Technology,ou=Datawave Users,dc=corp,dc=van,dc=dwave, with filter
(objectclass=group)
rlm_ldap: Adding samaccountname as Class, value itops & op=11
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding samaccountname as Class, value apuye & op=11
rlm_ldap: user apuye authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "apuye" with password "XXXXXXXXXXX"
rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave
rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 1
rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave
Users,DC=corp,DC=van,DC=dwave/XXXXXXXXXX to huckster.corp.van.dwave:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user apuye authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 4 to 10.99.1.50:1031
        Class = 0x6170757965
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 4 with timestamp 438e98b2
Nothing to do.  Sleeping until we see a request.

Thanks,
Alhagie.
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See 
> >http://www.freeradius.org/list/users.html
> >


This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed.  If you have received it by mistake please notify the sender by return e-mail and delete this message from your system.  Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited.  E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change.  We will use alternate communication means upon request.




More information about the Freeradius-Users mailing list