Active Directory with NTLM_AUTH

duckeo duckeo at gmail.com
Fri Oct 13 08:05:35 CEST 2006


> You can use LDAP in the authorize section to accomplish this.  Is the
> group name you are checking against static?  Is it
> sometimes/always/never the primary group for the user?

Group name is static, never the primary group for the user. What is
added to the user file for this? Is it similar to below:
DEFAULT Ldap-Group == "GroupName"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
etc..

Can I simply use the:
--require-membership-of='DOMAIN\Group'
 option of ntlm_auth to accomplish the the group check?

> > I have had LDAP only working with PAP, but am stuck with getting it to
> > work with MS-CHAP.
>
> You can't use LDAP with MS-CHAP.  Use the mschap module to do the
> authentication.
Yup I realised this which is why I'm persuring the mschap module with ntlm_auth.

>Look at the comments in radiusd.conf to see how to use
> ntlm_auth via the mschap module of FR.

I'm not finding the comments very useful in terms of what I need to do
next after setting the options, which why I posted here.



More information about the Freeradius-Users mailing list