Freeradius vs. ActiveDirectory

Völker, Christian Christian.Voelker at qsc.de
Mon Nov 14 11:22:20 CET 2005


Yohoo!
 
Yes! I did it! ;)
 
My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth!     
Below I have added a short summary how I realized it here.
 
But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.
Now I want to give access via freeradius only to some special groups.
 
I have figuered out, that there are these parameters: 
groupname_attribute, groupmembership_filter and groupmembership_attribute
combined with some entries in the users-file.
 
I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.
Questions:
1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?
2. Which value should I use then in the users-file?
3. Is there anyone who can give a little help in further authenticating with group?
 
-------------short summary how to authenticate vs. ActiveDirectory -----------------------
/etc/raddb/radiusd.conf
[...]
 ldap {
                #servername with an AD-Server running Win2003Srv
                server = "adsrv.qsc.de"
                #The Useraccount for querying AD (anonymous query is disabled)
                identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
                #The password for the Query-User
                password = 'xxxxxx'
                #base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \
                   #I don't understand why
                basedn = "ou=employees,dc=qsc,dc=de"
                # I've copied the below string, because I didn't understand the meanings of the %{...}
                filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
                # I had to increase the timeouts
                timeout = 40
                timelimit = 30
                net_timeout = 10
 
    }
The users-file left on default, no changes.
 
I hope, I could help some people trying to use AD for radius.
 
And, I hope, someone will help me with my user-problem.
 
 
Greets 
 
Christian
 

                
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051114/de57f7ef/attachment.html>


More information about the Freeradius-Users mailing list