Active directory groups
Marc Phillips
rmarc at copacetic.net
Wed May 18 17:43:51 CEST 2011
> So far I have the ldap component querying AD correctly and I have the
> ntlm_auth component doing the same and each individually passing from a
> radtest. My question now revolves around passing the groups in our
> setup and if this is even possible using the protocols listed above.
> Unfortunately, we don't have the option to move away from these
> protocols in our environment. I'm a bit of a freeradius noob so any
> help is appreciated.
I'm not using NTLM for auth, but I am enforcing AD Group access
What I did was fairly simple. I wanted users to either be admins or not
(and this is just an example usage):
users:
DEFAULT Ldap-Group == "grp-admin-admin", Auth-Type = pam
Reply-Message = "Hello (admin), %{User-Name}",
Fall-Through = No
DEFAULT Ldap-Group == "Operator", Auth-Type = pam
Reply-Message = "Hello (operator), %{User-Name}",
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = "you are not authorized"
My ldap module config looks like (I have a patched version for exec callouts on string fields.
The patch can be found posted to the list):
ldap {
server = "myDC"
port = 636
identity = "exec:/path/to/passgetter LDAP.user"
password = "exec:/path/to/passgetter LDAP.pwd"
basedn = "dc=myorg,dc=myco,dc=org"
filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls_mode= yes
tls {
start_tls = no
cacertfile = /path/to/my/cacerts
require_cert = "never"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = "memberOf"
chase_referrals = no
rebind = no
set_auth_type = no
ldap_debug = 0x8000
}
And then my authorize config (in my site-enabled/default):
authorize {
preprocess
auth_log
files
ldap
}
R. Marc
More information about the Freeradius-Users
mailing list