Config. Help please - ldap and Active Directory
Nicolas Goutte
nicolas.goutte at extragroup.de
Fri Mar 6 12:58:56 CET 2009
Am 06.03.2009 um 12:20 schrieb Leighton Man:
> Hi,
> I'm new to freeradius (3 weeks experience) and mailing lists
> (second attempt) so please have patience.
> I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
> to authenticate against Active Directory using ntlm-auth.
> All working OK.
> Now I'm trying to return different reply attributes depending on
> Active Directory group membership and restrict which groups can
> authenticate. Ldap lookups against the active directory root fail
> with operation error. Reconfiguring Active Directory is not a
> viable option so I have to specify an OU=xxxx in the query. I have
> configured two instances of the ldap module for authorisation, one
> to query the staff ou and the other to query the student ou. Both
> work OK for valid queries but if the user does not exist in the ou
> the server still authenticates the username/password and grants
> access if valid. Relevant debug output:
>
> rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,
> dc=uk, with filter (sAMAccountName=stafftest)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap_student" returns notfound for
> request 8
> modcall: leaving group student (returns notfound) for request 8
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 8
> rlm_eap: Request found, released from the list
>
> ...............................
>
> rlm_eap_peap: Tunneled data is valid.
> rlm_eap_peap: Success
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns ok for request 8
> modcall: leaving group authenticate (returns ok) for request 8
> Sending Access-Accept of id 104 to 10.127.240.217 port 1645
>
> Relevant bits of radiusd.conf:
>
> ldap ldap_student{
> server = "server.hud.ac.uk"
> identity =
> "cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
> password = secret
>
Try using := instead of = or == You have to assign the password, not
compare to it. Also perhaps you should use Cleartext-Password if the
password is in clear here.
> port = 636
> basedn = "ou=students, dc=ad, dc=hud,
> dc=ac, dc=uk"
> filter = "(sAMAccountName=%{mschap:User-Name:-%
> {User-Name}})"
> start_tls = no
>
> access_attr = "dialupAccess"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> groupname_attribute = cn
> groupmembership_filter = "(|(&
> (objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&
> (objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
> ........................................
>
> instantiate {
> exec
> expr
> ldap_staff
> ldap_student
> }
>
> authorize {
> preprocess
> mschap
> suffix
> eap
> Autz-Type staff{
> ldap_staff
> }
> Autz-Type student{
> ldap_student
> }
> files
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> eap
> }
>
> I want to reject the user if they are not in the relevant ou. I
> must be missing something obvious. Can anyone help please?
>
> Thanks in advance,
> Leighton
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
More information about the Freeradius-Users
mailing list