How configure freeradius that check user group in Microsoft Active Direcory
Mathieu Simon (Lists)
matsimon.lists at simweb.ch
Thu Jan 23 21:56:09 CET 2014
Hi
Am 23.01.2014 21:17, schrieb matrix30003:
> Hi
> My precise configuration:
> I used MS AD as for user store.
> I used samba and ntlm_auth to integration with AD.
Exactly that's the authentication part you are doing.
> Where I will find options about checking group from AD.
What you are looking for is is looking up if user X is member
in group x or has attribute y, then do $thing which is uthorization.
(which is likely at first grant or not grant acccess)
Look at http://wiki.freeradius.org/modules/Rlm_ldap
Configure the ldap module and then look at the group support section
on the page for i.e. configuration in the post-auth section.
2 AD-specific gotchas:
- AD always needs authenticated binds so you need to specify a user
FreeRADIUS can authenticate against the AD LDAP to do queries.
- AD supports nested groups which requires extra attention if you rely
on them. Look out for LDAP_MATCHING_RULE_IN_CHAIN in conjuction with
FreeRADIUS.
-- Mat
More information about the Freeradius-Users
mailing list