ldap group checking against active directory

Sun May 7 23:51:32 CEST 2006

Hello mailing list!

I have tried to search the archive and the web for the answer to my question but I am unable to find the answer.....

I'm sure someone here has run into this before.

I am attempting to setup the good old freeradius + active directory + access point to get peap going scenario.

I have freeradius setup fine to use ldap to auth the user, and it works.

I am attempting to setup finer access control (well really simple) to check if the user is a member of a group before allowing access.

Here are some configs:

radiusd.conf

      ldap {

                server = "domaincontroller.my.domain.com"
                identity = "adreader"
                password = "test1234"
                basedn = "cn=users,dc=my,dc=domain,dc=com"
                filter = "(sAMAccountName=%u)"
                port = 636
                start_tls = no
                tls_mode = no
                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword

                groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
                groupmembership_attribute = "memberOf"
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

In my users file all I have is:

DEFAULT Ldap-Group == "badgroup", Auth-Type := Reject
       Reply-Message = "Sorry, you are not allowed to have access"

When I use NTRadPing to test with a user that is in "badgroup" I still get an Access-Accept back.

I can do an ldap search using the groupmembership_filter and I get back all the groups my test user is in so I know that isn't the problem. Of course when I do my search I replace the %{Ldap-UserDn} with the actual "cn=username,<what I have for basedn>"

Also I have the groupmembership_attribute defined because from what I gather from the docs, it is used if the groupmembership filter fails.

Anywho, when I send an auth request while watching the debug output I don't see anything about checking for group/groupmembership/etc.

If I change my filter "filter = "(sAMAccountName=%u)" to also check for the group name, everything will work, but of course I would like to use the users file.

I've got TLS set to no and port set to 636 because I am using a crap-tacular windows 2000 domain, which doesn't support TLS :-(

I think I am missing something or something isn't quite right. Anyone have any ideas, or has anyone gotten ldap group checking to work against active directory??

Thanks
--
Chris Liles
System Analyst
Air2Web, Inc.
1230 Peachtree St. N.E.
12th Floor
Atlanta, GA 30309

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060507/0da9ac38/attachment.html>