ldap group checking against active directory

Chris Liles Chris.Liles at air2web.com
Sun May 7 23:51:32 CEST 2006

Hello mailing list!
I have tried to search the archive and the web for the answer to my question but I am unable to find the answer.....
I'm sure someone here has run into this before.
I am attempting to setup the good old freeradius + active directory + access point to get peap going scenario.
I have freeradius setup fine to use ldap to auth the user, and it works.
I am attempting to setup finer access control (well really simple) to check if the user is a member of a group before allowing access.
Here are some configs:
      ldap {
                server = "domaincontroller.my.domain.com"
                identity = "adreader"
                password = "test1234"
                basedn = "cn=users,dc=my,dc=domain,dc=com"
                filter = "(sAMAccountName=%u)"
                port = 636
                start_tls = no
                tls_mode = no
                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
                groupmembership_attribute = "memberOf"
                timeout = 4
                timelimit = 3
                net_timeout = 1
In my users file all I have is:
DEFAULT Ldap-Group == "badgroup", Auth-Type := Reject
       Reply-Message = "Sorry, you are not allowed to have access"
When I use NTRadPing to test with a user that is in "badgroup" I still get an Access-Accept back.
I can do an ldap search using the groupmembership_filter and I get back all the groups my test user is in so I know that isn't the problem. Of course when I do my search I replace the %{Ldap-UserDn} with the actual "cn=username,<what I have for basedn>"
Also I have the groupmembership_attribute defined because from what I gather from the docs, it is used if the groupmembership filter fails.
Anywho, when I send an auth request while watching the debug output I don't see anything about checking for group/groupmembership/etc.
If I change my filter "filter = "(sAMAccountName=%u)" to also check for the group name, everything will work, but of course I would like to use the users file.
I've got TLS set to no and port set to 636 because I am using a crap-tacular windows 2000 domain, which doesn't support TLS :-(
I think I am missing something or something isn't quite right. Anyone have any ideas, or has anyone gotten ldap group checking to work against active directory??
Chris Liles
System Analyst
Air2Web, Inc.
1230 Peachtree St. N.E.
12th Floor
Atlanta, GA 30309
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060507/0da9ac38/attachment.html>

More information about the Freeradius-Users mailing list