AD, Groups, and LDAP (was Re: separating Users?)

[Alan DeKok]

freeradius at corwyn.net wrote:
> Having just followed all of those instructions to build out my
> production systems, I have a few tweaks to fix all those little things
> that drive one insane when following someone's instructions because they
> never tested them.

  Thanks.  Here's a short review.

> Note that the configuring of SAMBA, kerberos, and adding to the domain
> should already be done as part of the default Linux install, see
> h:\is\operating system\Linux\Guide_linux.doc

  This file is... ?

> Verify that a user in the domain can be authenticated:
> wbinfo -a user%password
> Try the same login with the ntlm_auth program, which is what FreeRADIUS
> will be using:
> ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
> --password=password
> /etc/raddb/radiusd.conf  (see Appendix C)
> 
> Update max_requests to # users * 256

  That isn't necessary.  It should be no more than "max request/s *
max_request_time".

> Add to the end of the auth listen {..} (to permit groups of clients)
>         clients = disambiguate
>
> Add to the end of the acct listen {..}  (to permit groups of clients)
>         clients = disambiguate

  I don't understand why this is necessary.  All it does is put the
clients into a sub-section.  There's no additional value or capabilities
in doing this.

> Since we're not using any of these methods for the Ciscos, in
> authenticate{..} disable:   chap, mschap, suffix, ntdomain, unix, pap
> 
> Add to the end of the authorize{..} section:
> ntlm_auth

  Or to the end of the "authenticate" section?

> Note: The secret needs to match the secret set on the respective client.
> Change the secret to an actual secret
> 
> clients disambiguate {

  Again, there's no reason for this.

  Alan DeKok.