Freeradius vs. ActiveDirectory
Völker, Christian
Christian.Voelker at qsc.de
Mon Nov 14 11:22:20 CET 2005
Yohoo!
Yes! I did it! ;)
My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth!
Below I have added a short summary how I realized it here.
But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.
Now I want to give access via freeradius only to some special groups.
I have figuered out, that there are these parameters:
groupname_attribute, groupmembership_filter and groupmembership_attribute
combined with some entries in the users-file.
I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.
Questions:
1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?
2. Which value should I use then in the users-file?
3. Is there anyone who can give a little help in further authenticating with group?
-------------short summary how to authenticate vs. ActiveDirectory -----------------------
/etc/raddb/radiusd.conf
[...]
ldap {
#servername with an AD-Server running Win2003Srv
server = "adsrv.qsc.de"
#The Useraccount for querying AD (anonymous query is disabled)
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
#The password for the Query-User
password = 'xxxxxx'
#base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \
#I don't understand why
basedn = "ou=employees,dc=qsc,dc=de"
# I've copied the below string, because I didn't understand the meanings of the %{...}
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
# I had to increase the timeouts
timeout = 40
timelimit = 30
net_timeout = 10
}
The users-file left on default, no changes.
I hope, I could help some people trying to use AD for radius.
And, I hope, someone will help me with my user-problem.
Greets
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051114/de57f7ef/attachment.html>
More information about the Freeradius-Users
mailing list