Authenticate users via AD and checking group membership

Godfrey Peart grpeart at googlemail.com
Sat Jan 17 16:27:11 CET 2009


I am using FR 2.1, at present I can authenticate users against AD and then
assign VLAN membership
based on user-name via a MySQL database. What I would now like to do is
assign vlan membership based
on the group membership of the user. When I do an ldapsearch of my AD for a
user I get the following output:

mymachine:/home/jones # ldapsearch -x -D
cn=radman04,cn=users,dc=MYDOMAIN,dc=co,dc=uk
-h 10.10.6.131 -b cn=users,dc=MYDOMAIN,dc=co,dc=uk sAMAccountName=radman04
-W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=MYDOMAIN,dc=co,dc=uk> with scope subtree
# *filter: sAMAccountName=radman04*
# requesting: ALL
#

# radman04, Users, MYDOMAIN.co.uk <http://mydomain.co.uk/>
*dn: CN=radman04,CN=Users,DC=MYDOMAIN,DC=co,DC=uk*
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: radman04
givenName: radman04
*distinguishedName: CN=radman04,CN=Users,DC=MYDOMAIN,DC=co,DC=uk*
instanceType: 4
whenCreated: 20090113021444.0Z
whenChanged: 20090113021444.0Z
displayName: radman04
uSNCreated: 36950
*memberOf: CN=GROUPNAME,CN=Users,DC=MYDOMAIN,DC=co,DC=uk*
uSNChanged: 36955
name: radman04
objectGUID:: yXoSg4Ln7EWYAuThBRuTSw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128762864842481250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANdbgD79SSqoLLz2LYwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: radman04
sAMAccountType: 805306368
userPrincipalName: radman04@*MYDOMAIN*.co.uk
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=*MYDOMAIN*
,DC=co,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

based upon the output how do I construct a method of assigning reply
attributes for members of each group and what
parts of the radius configuration do I need to change. I don't want to
change from AD to ldap for authentication.
I have searched the archives but can't link all the elements I've found to
solve my problem.

Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090117/39b6d253/attachment.html>


More information about the Freeradius-Users mailing list