LDAP Authentication bind as user issue

Scott Hughes scott at renshawauto.net
Fri Sep 9 17:35:52 CEST 2011


-----Original Message-----
From: freeradius-users-bounces+scott=renshawauto.net at lists.freeradius.org
[mailto:freeradius-users-bounces+scott=renshawauto.net at lists.freeradius.org]
On Behalf Of Michael Holstein
Sent: Friday, September 09, 2011 10:30 AM
To: FreeRadius users mailing list
Subject: Re: LDAP Authentication bind as user issue


> This way it binds anonymously, and then fails to do an ldapsearch 
> because of insufficient privs. Giving * read to all seems silly, and I 
> would rather not go that route.
>
> If anyone has suggestions or comments they would be greatly appreciated.
>   

How I did it (assuming your using AD as the backend) .. is just create a
user account to bind with to do the search (to locate the DN). It does not
need to be an admin user, unless you have torqued down the permissions
inside AD. This allows bind as the defined user (to search for the DN of the
striped-user-name) and then rebind as that DN.

ldap {
        server = "mydc.foocorp.com"
        identity = "CN=LDAP Account,OU=whatever,OU=Domain
Users,DC=foocorp,DC=com"
        password = imnotgoingtotellyou
        basedn = "dc=foocorp,dc=com"
        filter =
"(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Na
me}}))"
        ..
       }

Cheers,

Michael Holstein
Cleveland State University
-

Michael,

Would this work if my AD users were in different OU's?  I have my users
broken out into respective location and department OU's.  Such as user FOO
is in both an OU of KY-Sales AND an OU of KY. They are not under the normal
'users' area.

Thanks,
Scott





More information about the Freeradius-Users mailing list