ntlm_auth & ldap authorize questions (solved)

Tobias Hachmer lists at kokelnet.de
Wed Apr 4 14:42:05 CEST 2012 

Am 04.04.2012 12:30, schrieb Andres Septer:
> I (sort of) solved exactly the same problem. I will post my solution 
> in
> "MSSCHAP auth + LDAP authorizaton" shortly. Stay tuned.

# Note to Andres Septer:
Thanks for your reply, but I fixed my problem by now without giving the 
ldap bind user any specific rights. 
(http://www.advproxy.net/ldapads.html)

I did the following:
# ldapsearch -h testwdc.test.local -D 
cn=Administrator,cn=Users,dc=test,dc=local -w abc123! -b 
dc=test,dc=local

# Free RADIUS, Users, test.local
dn: CN=Free RADIUS,CN=Users,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Free RADIUS
sn: RADIUS
givenName: Free
distinguishedName: CN=Free RADIUS,CN=Users,DC=test,DC=local
instanceType: 4
whenCreated: 20120404112536.0Z
whenChanged: 20120404112536.0Z
displayName: Free RADIUS
uSNCreated: 20580
uSNChanged: 20585
name: Free RADIUS
objectGUID:: Wc/75uS3EEOkigLBcBPVQw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129780123362628750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAXrAss/fHBMRa4JZ1UgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: freeradius
sAMAccountType: 805306368
userPrincipalName: freeradius at test.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 16010101000000.0Z

and recognized that the CN of the user I want to use for ldap bind is 
"CN=Free RADIUS" but I assumed that the CN is like the sAMAccountName.
So I changed the identity in /etc/freeradius/modules/ldap

from
identity = "cn=freeradius,cn=Users,dc=test,dc=local"
to
identity = "cn=Free RADIUS,cn=Users,dc=test,dc=local"

and

the filter

from
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" (default was 
uid)
to
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

additionally I set the groupmembership_filter accordingly for active 
directory:

groupname_attribute = cn
groupmembership_filter = 
"(&(objectClass=group)(member=%{control:Ldap-UserDn}))"

That's what I've done and now it is working like a charme.

Regards,

Tobias Hachmer

More information about the Freeradius-Users mailing list