Can I get group-name from Active-directory? [sec=unclassified]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Tue Dec 18 00:19:43 CET 2007
From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Hangjun He
Sent: Monday, 17 December 2007 18:32
To: FreeRadius users mailing list
Subject: Can I get group-name from Active-directory?
FreeRADIUS 1.1.6 + samba-tools + active-directory.
Can I get user's group-name by rlm_ldap? How?
Following is result of ldap-search.(Using ldap client)
# Paul Le, Users, test.com
dn: CN=Paul Le,CN=Users,DC=test,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Paul Le
sn: Levasseur
distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com
instanceType: 4
whenCreated: 20061118204047.0Z
whenChanged: 20061120041505.0Z
displayName: Paul Levasseur
uSNCreated: 53309
memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com
uSNChanged: 61454
name: Paul Levasseur
objectGUID:: TWcfmIP0S0KptrqNYMartA==
In radiusd.conf set the ldap group parameters:
groupname_attribute = memberOf
groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
If you prefer you can use sAMAccountName instead of cn, or even both:
groupmembership_filter =
"(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us
er-Name:-%{User-Name}}))"
Regards,
Frank Ranner
More information about the Freeradius-Users
mailing list