Freeradius, Active Directory and User's Group

Gary Gatten Ggatten at waddell.com
Mon Mar 29 23:12:00 CEST 2010 

Yup - that's what I was talking about.

You can use variables, but if you need to enumerate a users group memberships - then yea you'll need LDAP.

G


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Lincoln Zuljewic Silva
Sent: Monday, March 29, 2010 4:08 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius, Active Directory and User's Group

Gary

Are you talking about the "--require-membership-of" parameter of ntlm_auth?

If yes, I can't use it because is a "randon" situation.

The Alcatel software has a list of all groups that can login and their
appropriate permissions. The freeradius has to see what are the user
groups that the user are member of and reply it to Alcatel software.

John,

I will check out this "reply attribute" and see if it works for me...

Regards
Lincoln

On Mon, Mar 29, 2010 at 5:53 PM, Gary Gatten <Ggatten at waddell.com> wrote:
> FWIW, I do group checking with SAMBA.  I'm not in front of my system, but there's an arg one can pass to the Samba util exe where it will validate uname, password, and group membership.  This should work for most "simple" confs, although I can certainly envision situations where LDAP may be required.
>
> ----- Original Message -----
> From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Sent: Mon Mar 29 15:26:57 2010
> Subject: Re: Freeradius, Active Directory and User's Group
>
> Understood, but the freeradius will be able to return this group
> information to the Alcatel device?
>
> Regards
> Lincoln
>
> On Mon, Mar 29, 2010 at 5:10 PM, John Dennis <jdennis at redhat.com> wrote:
>> On 03/29/2010 04:02 PM, Lincoln Zuljewic Silva wrote:
>>>
>>> I'm sorry.
>>>
>>> I forgot to mention that I'm not using LDAP, but Samba to integrate
>>> the freeradius with AD.
>>
>> O.K. I presume you're using samba for authentication, but where are you
>> storing the information about which groups a user is in? I presume it's in
>> AD. AD is an ldap server that you can query during authorization which is
>> when and where you would do the group check.
>> --
>> John Dennis <jdennis at redhat.com>
>>
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Lincoln Zuljewic Silva
> More contact info.: http://www.system.adm.br/contact.php
>
> "How often must a question be asked before it's considered a
> frequently asked question?"
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it's considered a
frequently asked question?"

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list