Active Directory Group Membership filtering query
Alan DeKok
aland at deployingradius.com
Tue Oct 1 17:28:15 CEST 2013
Simon Grierson wrote:
> Authentication via Active Directory, but with access granted depending
> on AD Group membership.
That should be possible.
> EG: User A Is allowed Wifi access, as they are in Wifi-Users group
>
> User B is not as they do not have membership of this group.
That's easy.
> So we have the Freeradius server up and running, and it can authenticate
> against AD fine, but I cant figure out the group filtering portion of
> the setup.
The FAQ has examples. The configuration files have many references to
"ldap", with comments describing what it does.
> The documentation points to configuring the modules/ldap file to point
> to our LDAP server (I.E. our AD server0, and to configure the /users
> file with the following line
>
> DEFAULT Ldap-Group ==
> "CN=sec-eduroam-users,OU=Access,OU=SecurityGroups,OU=Groups,DC=testres,DC=org"
>
> DEFAULT Auth-Type = Reject
The default *is* to reject the user, but that may work.
> When I run freeradius in debug mode, we get all the usual output but no
> ldap modules mentioned
Is it a secret? The FAQ, "man" page, web pages, and daily messages on
this list say to post the debug output. It's the ONLY way to solve the
problem.
> It dues include modules/ldap but little else.
Which is probably fine.
> FYI I have built this 3 times,
Well, then you did it wrong 3 times.
> What I cant get is LDAP to work through free radius.
>
> Am I doing something wrong, is there a better way to do this?
Post the debug output as suggested in the FAQ, "man" page, web pages,
and daily on this list.
Alan DeKok.
More information about the Freeradius-Users
mailing list