Freeradius-Users Digest, Vol 7, Issue 48

Devel step.devel at laposte.net
Mon Nov 14 20:59:38 CET 2005 

Le lun 14/11/2005 à 12:13, freeradius-users-request at lists.freeradius.org
a écrit :

> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> ______________________________________________________________________
> 
> Today's Topics:
> 
>    1. RE: Freeradius vs. ActiveDirectory (Jonathan De Graeve)
>    2. Re: Freeradius vs. ActiveDirectory (A.L.M.Buxey at lboro.ac.uk)
>    3. AW: Freeradius vs. ActiveDirectory (V?lker)
>    4. RE: Failed attempts log (Thierry Hoferlin)
>    5. AW: Freeradius vs. ActiveDirectory (V?lker)
> 
> 
> ______________________________________________________________________
> From: Jonathan De Graeve <Jonathan.De.Graeve at imelda.be>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: RE: Freeradius vs. ActiveDirectory
> Date: Mon, 14 Nov 2005 11:36:45 +0100
> 
> 
> 
> What about the password?
> 
>  
> 
> I thought this was a kerberos one and didn’t reside into the ldap
> itself?
> 
>  
> 
> --
> Jonathan De Graeve
> Network/System Administrator
> Imelda vzw
> Informatica Dienst
> 015/50.52.98
> jonathan.de.graeve at imelda.be
> 
> ---------
> Always read the manual for the correct way to do things because the
> number of incorrect ways to do things is almost infinite
> ---------
> 
> 
>                                    
> ______________________________________________________________________
> 
> Van:freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] Namens Völker,
> Christian
> Verzonden: maandag 14 november 2005 11:22
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: Freeradius vs. ActiveDirectory
> 
> 
>  
> 
> Yohoo!
> 
> 
>  
> 
> 
> Yes! I did it! ;)
> 
> 
>  
> 
> 
> My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory
> (on 2003 Server). Without ntlm_auth!     
> 
> 
> Below I have added a short summary how I realized it here.
> 
> 
>  
> 
> 
> But now I have a question and I can't solve it for myself. I want to
> retreive some group informations from AD. In an users account I find
> several values "memberOf" and the DN of the group, where the user
> belong to.
> 
> 
> Now I want to give access via freeradius only to some special groups.
> 
> 
>  
> 
> 
> I have figuered out, that there are these parameters: 
> 
> 
> groupname_attribute, groupmembership_filter and
> groupmembership_attribute
> 
> 
> combined with some entries in the users-file.
> 
> 
>  
> 
> 
> I've read the doc/rlm_ldap, but I didn't find any deeper hints or
> explanation.
> 
> 
> Questions:
> 
> 
> 1. Where can I find some docs about the %{...} Values in
> groupmebership_filter? Which one should I use in combination with my
> AD?
> 
> 
> 2. Which value should I use then in the users-file?
> 
> 
> 3. Is there anyone who can give a little help in further
> authenticating with group?
> 
> 
>  
> 
> 
> -------------short summary how to authenticate vs. ActiveDirectory
> -----------------------
> 
> 
> /etc/raddb/radiusd.conf
> 
> 
> [...]
> 
> 
>  ldap {
>                 #servername with an AD-Server running Win2003Srv
> 
> 
>                 server = "adsrv.qsc.de"
> 
> 
>                 #The Useraccount for querying AD (anonymous query is
> disabled)
>                 identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
> 
> 
>                 #The password for the Query-User
>                 password = 'xxxxxx'
> 
> 
>                 #base DN for user search; all our Users are in
> ou=employees. Without this "ou=...", no user will be found. \
> 
> 
>                    #I don't understand why
>                 basedn = "ou=employees,dc=qsc,dc=de"
> 
> 
>                 # I've copied the below string, because I didn't
> understand the meanings of the %{...}
>                 filter =
> "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
>                 # I had to increase the timeouts
> 
> 
>                 timeout = 40
>                 timelimit = 30
>                 net_timeout = 10
> 
> 
>  
> 
> 
>     }
> 
> 
> The users-file left on default, no changes.
> 
> 
>  
> 
> 
> I hope, I could help some people trying to use AD for radius.
> 
> 
>  
> 
> 
> And, I hope, someone will help me with my user-problem.
> 
> 
>  
> 
> 
>  
> 
> 
> Greets 
> 
> 
>  
> 
> 
> Christian
> 
> 
>  
> 
> 
>                 
> 
> 
>  
> 
> 
>  
> 
> 
>  
> 
> 
> 
> ______________________________________________________________________
> 
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius vs. ActiveDirectory
> Date: Mon, 14 Nov 2005 10:42:07 +0000
> 
> Hi,
> 
> > I hope, I could help some people trying to use AD for radius.
> 
> there is another way - use the krb module to authenticate against AD
> 
> alan
> 
> 
> 
> ______________________________________________________________________
> 
> From: "Völker, Christian" <Christian.Voelker at qsc.de>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: AW: Freeradius vs. ActiveDirectory
> Date: Mon, 14 Nov 2005 11:50:10 +0100
> 
> Yohoo!
> 
> 
> > What about the password?
> Which password? The User-Password? Or the shared secret?
> The Password for the Proxy-User is written down in the radiusd.conf.
> 
> 
> > I thought this was a kerberos one and didn't reside into the ldap itself?
> Kerberos ist installed, but I don't use it (I think so! ;-)) 
> 
> Greets 
> Christian
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> 
> From: Thierry Hoferlin <thierry.hoferlin at staff.cybernet.be>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: RE: Failed attempts log
> Date: Mon, 14 Nov 2005 11:50:39 +0100
> 
>  
> Thanks Nicolas,
> 
> It works fine.
> 
> Just for info, the attributes to use in the mssql.conf file are
> "postauth_table" and "postauth_query"
> With the following radius configuration :
> 
> post-auth {
> 
> 	Post-Auth-Type REJECT {
> 		sql
> 	}
> }
> 
> 
> Regards,
> 
> Thierry.
> 
>  
> 
> 
> >Thierry Hoferlin wrote:
> >
> >> I've configured a freeradius 1.0.5 with MSSQL authentification. 
> >> It works fine.
> >>
> >> Is there a way to log failed authentification records to SQL  ?
> >
> >Please don't post HTML on the list.
> >
> >Search the archives for detailed instructions, but the general idea is
> to use the module "sql" in section "post-auth".
> >
> >http://freeradius.org/radiusd/doc/Post-Auth-Type
> >
> >--
> >Nicolas Baradakis
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> ______________________________________________________________________
> 
> From: "Völker, Christian" <Christian.Voelker at qsc.de>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: AW: Freeradius vs. ActiveDirectory
> Date: Mon, 14 Nov 2005 11:51:26 +0100
> 
> Yohoo!
> 
> 
> >> I hope, I could help some people trying to use AD for radius.
> >there is another way - use the krb module to authenticate against AD
> 
> Are there any advantages/ disadvantages ldap <-> krb5?
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Hello.

I made a Freeradius 1.04 working configuration to authenticate users
using krb5. It works without any problem and If you look to Microsoft
Documentation, you will see that it recommands using krb5 for
Alien(Unix...)/Microsoft cross authentication. 

When using Ldap you must "translate" standards attributes into microsoft
ones without many warranties that it will keep working on the next
patch.I know microsoft wants to make its AD more compatible to standards
but for the moment I still wait and see.

In the other hand, LDAP is a much more powerful protocol that do not
only deal with authentication while kerberos 's only goal is
authentication. Maybe powerful users may use LDAP powerfullness through
Radius. I do not and I'm not able to help you in that way.

If someone is interrested in using Radius<->krb5<->AD, I may (I have a
very poor english and I'm not a radius "hacker") help him.

Just post at this mailing list that you are interested in it and I will
answer as soon as I can.

Bye.

Stephane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051114/a8ef2506/attachment.html>

More information about the Freeradius-Users mailing list