Freeradius with AD

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Fri Apr 29 12:49:26 CEST 2016


Hi Jose

Am 28.04.2016 um 21:16 schrieb Jose via Freeradius-Users:
> 
> We currently have an OpenLDAP server where we have users in various OUs.We also have Active Directory with our students and staff in different OUs.
> How do we configure radius to authenticate with a particular OU instead of everything?For example,  only have it authenticate with OU=students.
> Thanks.
> 

I'm only focusing on AD for authorization, if you want to have both
OpenLDAP and AD as (alternate) authentication/authorization source
you'll have to make things a bit different (i.e. more mingling with
unlang(5) ), that aside:

The link you sent only shows AD authentication. Since AD doesn't allow
reading the password directly is why you need Samba/winbind to validate
credentials.* (also look in the FreeRADIUS wiki)

However your AD can be accessed for authorization like (almost?) any
other LDAP directrory server using the rlm_ldap module.

Consider reading the wiki page on the LDAP module rlm_ldap**, its
manpage as well as the default config file of rlm_ldap. It contains
useful comments. I can only recommend using 3.0 if you didn't already
started with that version. rlm_ldap in 3.0.x has become easier to
configure than in it used to be with 2.0.x.

You'll have to configure rlm_ldap to connect to your AD servers
including the attribute values that AD uses (like uid vs.
sAMAccountName) and make sure the ldap module is enabled in your config.

When done you can add checks in the post-auth section of inner-tunnel
(if using PEAP-MSCHAPv2) similar to the examples in the FR wiki.

You'll definitely want to read the unlang(5) manpage in order to do
other things like matching the OU which is part of the distinguishedName
attribute in AD.

Hope that gives you some ideas to look further.

-- Mathieu


*See: http://deployingradius.com/documents/protocols/oracles.html
** http://wiki.freeradius.org/modules/Rlm_ldap


More information about the Freeradius-Users mailing list