Allow users from a specific AD group
Ivan Kalik
tnt at kalik.net
Thu Sep 24 11:01:34 CEST 2009
> Hi, I spent some time trying to put working together FR+AD and presently
> i'm
> using ntlm to authenticate users through mschap against the AD. It is
> working.
>
> Next step is try to allow access only to specific users belonging to a
> Group
> from the AD, but it is not working.
>
> I post here the important i have configured untill now:
>
> 1. users file:
>
> DEFAULT Ldap-Group != "wireless", Auth-Type := Reject
Ldap-Group and SQL-Group don't work well with !=. Try this unlang in
inner-tunnel authorize instead:
if(Ldap-Group == "wireless") {
ok
}
else {
reject
}
> 2. /usr/local/etc/raddb/sites-enabled/inner-tunnel and default:
>
> # uncommented ldap from authorize function
>
> 3. /modules/ldap:
>
> server = "192.168.1.10"
> port = 389
> identity = "cn=Administrator,cn=users,dc=DOT1X,dc=local"
> password = 123456
> basedn = "dc=DOT1X,dc=local"
> filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
> base_filter = "(objectclass=radiusprofile)"
> groupmembership_filter =
> "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = memberOf
>
> Do you have any idea what can be missing?
That should be %{control:Ldap-UserDn}.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list