Freeradius Auth via LDAP against Active Directory Server 2003
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jun 5 18:51:11 CEST 2007
On Tue, 2007-06-05 at 09:22 -0500, Ryan Kramer wrote:
>
> Were you ever able to solve the issue of multipe OU's? I have about
> 100 OU's that have users under them, running without a specified OU
Why can't you specify a top-level OU and use subtree searches?
> doesn't work, and obviously once I drop into an OU it hits the users
> that live there, and no others.
The "basedn" config item on the "ldap" module is dynamically expanded.
If you can map a username to an OU, you could use a dynamic expansion
there. But if you've got hundreds of OUs without a common ancestor and
subtree search, I'd say you've designed your LDAP directory wrong.
>
> Ryan
>
>
>
> On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> OK tried with 1.1.4 and yerp works great.
>
> radiusd -X output: http://pastebin.ca/464153
> radiusd.conf: http://pastebin.ca/464156
>
> I also realised a mistake I have been making, see I want to
> search the
> whole active directory, hence I kept setting my basedn without
> an ou.
> After seeing your excellent example and auth'ing had failed I
> stuck in
> an OU and tried a user from the OU and worked fine.
>
> So my questions is this, to auth people from multiple OU's do
> I create
> a new ldap module for each OU or is their a simpler way.
>
> Thanks Very much for your help Phil, its been a very
> productive
> weekend thanks to the info you provided.
>
> My challenge for monday will be setting up the cisco and
> wireless clients now :)
>
> On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> > radiusd.conf: http://pastebin.ca/464133
> > radius -X ouput: http://pastebin.ca/464138
> >
> > Tried with 1.1.6 and fails with this error:
> >
> > rlm_ldap: reading ldap<->radius mappings from
> file /etc/raddb/ldap.attrmap
> > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
> > rlm_ldap: Reading dictionary mappings from
> file /etc/raddb/ldap.attrmap failed
> > radiusd.conf[540]: ldap: Module instantiation failed.
> > radiusd.conf[586] Unknown module "ldap".
> > radiusd.conf[586] Failed to parse "ldap" entry.
> > -----------------------------
> > /etc/raddb/ldap.attrmap does exist as provided by the rpm.
> >
> > [root at localhost src]# ls -l /etc/raddb/ldap.attrmap
> > -rw-r----- 1 root root 2424 Apr 19
> 16:32 /etc/raddb/ldap.attrmap
> >
> > I assume the permissions are correct, as it was installed by
> rpm. Im
> > building the 1.1.4 rpm now, will report back once done.
> >
> > On 4/29/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> > > Thanks for the very detailed instructions.
> > >
> > > I will attempt this shortly (bought rad & ad servers home
> for weekend study).
> > >
> > > Quite possible the biggest learning curve for me is the
> ldap fields
> > > but I am finally starting to get familar with them.
> > >
> > > Cheers again, will post back once Ive run the radtest.
> > >
> > > On 4/28/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > > > I haven't been following your (quite extensive) queries,
> so apologies if
> > > > I've missed something fundamental.
> > > >
> > > > I honestly don't know why this is proving so difficult.
> I've just tested
> > > > this against our own 2k3 AD service, and although I'm
> pretty familiar
> > > > with FR it took under 5 minutes. Try following the
> instructions below.
> > > > These were tested with FreeRadius 1.1.4
> > > >
> > > > 1. First, create or locate an existing account which
> FreeRadius can bind
> > > > and do it's searches as. Record the following variables:
> > > >
> > > > SEARCHDN=<the DN of the account>
> > > > SEARCHPW=<the password>
> > > > BASEDN=<the DN below which all your accounts live in
> AD>
> > > > ADHOST=<hostname of the AD controller you'll search
> against>
> > > >
> > > > For example, these might be:
> > > >
> > > > SEARCHDN=CN=freeradius,OU=Users,OU=My
> Site,DC=mysite,DC=com
> > > > SEARCHPW=blahblah
> > > > BASEDN=OU=My Site,DC=mysite,DC=com
> > > >
> > > > 2. Next, take the default "radiusd.conf"
> > > >
> > > > 3. Find the start of the modules section:
> > > >
> > > > modules {
> > > > ...
> > > >
> > > > Delete this line and all the following lines
> > > >
> > > > 4. Insert the following config:
> > > >
> > > > modules {
> > > > ldap {
> > > > server = "$ADHOST"
> > > > identity = "$SEARCHDN"
> > > > password = "$SEARCHPW"
> > > >
> > > > basedn = "$BASEDN"
> > > > filter = "(sAMAccountName=
> %{Stripped-User-Name:-%{User-Name}})"
> > > >
> > > > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > > >
> > > > ldap_connections_number = 5
> > > > timeout = 4
> > > > timelimit = 3
> > > > net_timeout = 1
> > > > }
> > > >
> > > > preprocess {
> > > > huntgroups = ${confdir}/huntgroups
> > > > hints = ${confdir}/hints
> > > >
> > > > with_ascend_hack = no
> > > > ascend_channels_per_line = 23
> > > >
> > > > with_ntdomain_hack = no
> > > > with_specialix_jetstream_hack = no
> > > > with_cisco_vsa_hack = no
> > > > }
> > > >
> > > > detail {
> > > > detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > > > detailperm = 0644
> > > > }
> > > >
> > > > }
> > > >
> > > > instantiate {
> > > > }
> > > >
> > > > authorize {
> > > > preprocess
> > > >
> > > > ldap
> > > > }
> > > >
> > > > authenticate {
> > > > Auth-Type LDAP {
> > > > ldap
> > > > }
> > > > }
> > > >
> > > >
> > > > preacct {
> > > > preprocess
> > > > }
> > > >
> > > > accounting {
> > > > detail
> > > > }
> > > >
> > > >
> > > > session {
> > > > }
> > > >
> > > > post-auth {
> > > > }
> > > >
> > > > pre-proxy {
> > > > }
> > > >
> > > > post-proxy {
> > > > }
> > > >
> > > > 5. Start the server with -X
> > > >
> > > > 6. Run "radtest" to send a checking PAP request
> > > >
> > > > It should work.
> > > >
> > > > The above config is the ABSOLUTE BARE MINIMUM server
> config which will
> > > > check PAP requests ONLY against an AD LDAP server. I do
> NOT recommend
> > > > you go into service with this config. Try to look at it,
> understand how
> > > > it's doing what it's doing, *then* start again with the
> default
> > > > FreeRadius config and make the absolute minimum changes
> to get back to
> > > > that point.
> > > > -
> > > > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> > > >
> > >
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list