Active Directory with NTLM_AUTH

Garber, Neal Neal.Garber at energyeast.com
Fri Oct 13 17:11:04 CEST 2006


> What is added to the user file for this? Is it similar to below:

Do you need those reply attributes returned?  If not, you may not need
anything in the users file.  I don't have anything in mine, but I'm not
using radius for dial-up/PPP.

> Can I simply use the: --require-membership-of='DOMAIN\Group'
> option of ntlm_auth to accomplish the the group check?

I've used this option manually with clear-text passwords, but I haven't
tried it from mschap in FR.  Does it work for you when you run ntlm_auth
from a shell prompt?  If you can't get it to work from mschap, you can
have LDAP get the user's group memberships by adding a checkItem to
ldap.attrmap.  In our environment, the groups to which a user is a
member are stored in the memberOf LDAP attribute.  So, I have the
following in my ldap.attrmap file:

checkItem Ldap-Group          memberOf

Then, ensure ldap is in your authorize section.  This checkItem will
cause ldap to create one Ldap-Group check attribute for each group to
which the user is a member.  In the past, I have successfully used
checkval to do the comparison.  The checkval module compares a request
attribute to a check attribute.  If your group name isn't in a request
attribute, you can use attr_rewrite to add a request attribute with the
group name you desire to test against.  You would then put checkval
after the attr_rewrite and ldap modules in authorize.  

I'm currently using perl to do authorization because of the flexibility
it affords.  (In my case, depending upon the Huntgroup-Name, the group
membership requirement varies.  Also, for some Huntgroups, I allow
several groups and I return a custom reply attribute that specifies the
user's privilege level based on which group they were a member.)  If you
use perl, you wouldn't need attr_rewrite or checkval.

I haven't been using FR for very long so this may not be the best
approach.  However, I'm sure others will chime in if there are better
alternatives.





More information about the Freeradius-Users mailing list