Config. Help please - ldap and Active Directory

Fri Mar 6 12:20:18 CET 2009

Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on Active Directory group membership and restrict which groups can authenticate. Ldap lookups against the active directory root fail with operation error. Reconfiguring Active Directory is not a viable option so I have to specify an OU=xxxx in the query. I have configured two instances of the ldap module for authorisation, one to query the staff ou and the other to query the student ou. Both work OK for valid queries but if the user does not exist in the ou the server still authenticates the username/password and grants access if valid. Relevant debug output:

rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap_student" returns notfound for request 8
modcall: leaving group student (returns notfound) for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list

...............................

 rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645

Relevant bits of radiusd.conf:

        ldap ldap_student{
                server = "server.hud.ac.uk"
                identity = "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
                password = secret
                port = 636
                basedn =         "ou=students, dc=ad, dc=hud, dc=ac, dc=uk"
                filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
                start_tls = no

               access_attr = "dialupAccess"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                 groupname_attribute = cn
                 groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                 groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

........................................

instantiate {
        exec
        expr
                ldap_staff
                ldap_student
}

authorize {
        preprocess
        mschap
        suffix
        eap
        Autz-Type staff{
                ldap_staff
        }
        Autz-Type student{
                ldap_student
        }
        files
}

authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}

I want to reject the user if they are not in the relevant ou. I must be missing something obvious. Can anyone help please?

Thanks in advance,
Leighton