Windows AD cleartext LDAP in 5 minutes
Hugh Messenger
hugh at alaweb.com
Mon Jul 23 14:37:21 CEST 2007
Once again FR "just works". :-)
I decided to try LDAP for my clear text PAP authentication against an Active
Directory (so I can get rid of PAM/winbind). Having read so many horror
stories from people trying to do this, I expected it to be problematic.
It took exactly 5 minutes to get it working. So I thought I'd share the
details for anyone else googling around for this topic. There's lots of
stuff about Windows AD using ntlm_auth for MS-CHAP out there, but very
little about clear text using LDAP (that I could find).
The only changes from the out-of-box config I needed to get it working were:
modules {
...
ldap {
...
server = somehost.somedomain.com
identity = " CN=someuser,CN=Users,DC=somedomain,DC=com "
password = somepassword
basedn = "CN=Users,DC=somedomain,DC=com"
filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=people)"
...
}
...
}
authorize {
...
ldap
...
}
authenticate {
...
ldap
...
}
Notes:
The 'ldap' must appear in the authorize and authenticate sections
somewhere
BEFORE 'pap'.
Windows AD uses 'sAMAccountName' instead of 'uid' in the filter.
You have to provide a valid identity and password, it won't work with
anonymous binding.
The filter spec above is in FR 2.x format, in 1.x you need to strip one
set
of %{} out thusly:
filter =
"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
I'll no doubt ratchet the basedn down to a more specific domain group and
play with the user and group profile stuff now I have it working, but those
changes got me going.
-- hugh
More information about the Freeradius-Users
mailing list