Get AD Profile

nf-vale nf-vale at critical-links.com
Sun Jul 13 22:00:30 CEST 2008 

Ok I finally realise what I was doing wrong. To retrieve one Active
Directory user's group it's not necessary to use de replyItem in
ldap.attrmap. It's only necessary to configure "correctly" the ldap
module. So I resolved this using the following configuration:



Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu:
> Hi all,
> 
> 
> I have my freeradius deploy (2.0.2) configured to authenticate users
> against Active Directory and that is working fine. But I want to
> retrieve user's profile from Active Directory, to add VLAN ID
> (Tunel-Private-Group-ID) to Access-Accept reply.
> 
> I really don't know how to do this and I could find a clear solution,
> either in documentation (rlm_ldap) ot by googling. So I would
> appreciate if someone could give me a hand on this.
> 
> What I've done so far is to add this entry to ldap.attrmap file:
> "replyItem radiusProfileDn memberOf". The profile I want to retrieve
> is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in
> radius debug I'm getting this error:
> 
> 
> ++[ntdomain] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for figo
>         expand: %{Stripped-User-Name} -> figo
>         expand: (sAMAccountName=
> %{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) ->
> (sAMAccountName=figo)
>         expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldaptest,dc=com, with filter
> (sAMAccountName=figo)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: Failed to create the pair: Invalid octet string
> "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn"
> WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?
> rlm_ldap: user figo authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
>   rlm_eap: EAP packet type response id 8 length 80
>   rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
> ++[mschap] returns noop
>         expand: %{Stripped-User-Name} -> figo
>         expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} ->
> figo
> ++[files] returns noop
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group authenticate
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>   eaptls_verify returned 7 
>   rlm_eap_tls: Done initial handshake
>   eaptls_process returned 7 
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: Received EAP-TLV response.
>   rlm_eap_peap: Success
>   Using saved attributes from the original Access-Accept
>   rlm_eap: Freeing handler
> ++[eap] returns ok
> Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client
> portatil port 0 cli 02-00-00-00-00-01)
> Sending Access-Accept of id 17 to 192.168.10.200 port 33000
>         User-Name = "figo"
>         MS-MPPE-Recv-Key =
> 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5
>         MS-MPPE-Send-Key =
> 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d
>         EAP-Message = 0x03080004
>         Message-Authenticator = 0x00000000000000000000000000000000

More information about the Freeradius-Users mailing list