Freeradius vs. ActiveDirectory

Jonathan De Graeve Jonathan.De.Graeve at imelda.be
Mon Nov 14 11:36:45 CET 2005 

What about the password?

 

I thought this was a kerberos one and didn't reside into the ldap itself?

 

--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
jonathan.de.graeve at imelda.be

---------
Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite
--------- 

________________________________

Van: freeradius-users-bounces at lists.freeradius.org [mailto:freeradius-users-bounces at lists.freeradius.org] Namens Völker, Christian
Verzonden: maandag 14 november 2005 11:22
Aan: freeradius-users at lists.freeradius.org
Onderwerp: Freeradius vs. ActiveDirectory

 

Yohoo!

 

Yes! I did it! ;)

 

My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth!     

Below I have added a short summary how I realized it here.

 

But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.

Now I want to give access via freeradius only to some special groups.

 

I have figuered out, that there are these parameters: 

groupname_attribute, groupmembership_filter and groupmembership_attribute

combined with some entries in the users-file.

 

I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.

Questions:

1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?

2. Which value should I use then in the users-file?

3. Is there anyone who can give a little help in further authenticating with group?

 

-------------short summary how to authenticate vs. ActiveDirectory -----------------------

/etc/raddb/radiusd.conf

[...]

 ldap {
                #servername with an AD-Server running Win2003Srv

                server = "adsrv.qsc.de"

                #The Useraccount for querying AD (anonymous query is disabled)
                identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"

                #The password for the Query-User
                password = 'xxxxxx'

                #base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \

                   #I don't understand why
                basedn = "ou=employees,dc=qsc,dc=de"

                # I've copied the below string, because I didn't understand the meanings of the %{...}
                filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
                # I had to increase the timeouts

                timeout = 40
                timelimit = 30
                net_timeout = 10

 

    }

The users-file left on default, no changes.

 

I hope, I could help some people trying to use AD for radius.

 

And, I hope, someone will help me with my user-problem.

 

 

Greets 

 

Christian

 


                

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051114/db79d110/attachment.html>

More information about the Freeradius-Users mailing list