Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator

[Dusty Doris]

> Radiusd.conf:
>
>                filter =
> "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp
> cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))"
>
> This works fine. However I can't get it to return any replyItems. Has
> anyone gotten this to work with Active Directory? All the docs I see on
> the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there
> running Windows 2000/2003 Active Directory.
>
> I have spent a couple of days on this not having much luck. Here are a
> few questions that would help me a bit.
>
> 1) Do I need groupname_attribute to get this to work?
>
> 2) What about groupmembership_filter and groupmembership_attribute?
>
> My ldap.attrmap looks like this:
>
> replyItem       Class                           groupofnames
> replyItem       Class                           group
>
> I think the above is correct. Can some shed some light on this?

Is group and groupofnames something that is an attribute of a user?  When 
freeradius searches for reply items it is searching for attributes of that 
user.

eg:

dn: cn=someuser,...
group: somegroup

Should then add

Class = somegroup

to the reply items.

If you want to make reply items attached to a group, rather than in 
individual, you will need to set the User-Profile attribute.

For example,

dn: cn=somegroup,ou=groups,...
group: somegroup

Then in the users file.

DEFAULT Ldap-Group == somegroup, User-Profile := 
"cn=somegroup,ou=groups,..."

You may be able to do this dynamically using xlat or something like 
huntgroups too.  If you want an example, send us an example of a user and 
group from AD in ldif format and an example of a radius packet that you 
would expect in the reply and I'll see if I can come up with an idea for 
ya.