LDAP Group Against AD Issue

Matt Brennan brennanma at gmail.com
Mon Mar 21 15:39:48 CET 2016


Good Day,

  I am attempting to setup FreeRADIUS 3.0.11 against a single Active
Directory. I am also trying to use AD via LDAP to check group membership
for authorization. The authentication (via MSCHAPv2) is working fine, but I
am having issues with group memberships.

  If the user manually authenticates with their sAMAccoutnName (i.e.
systest) everything works as expected. However, when automatic
authentication is done by windows, the username is sent in the
domain\username pattern, and my LDAP group checks fail. I end up trying to
search AD for "DOMAIN\5c5c\5c5csystest" which doesn't work:

(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (sAMAccountName=applause\5c5csystest)
(7) ldap: Performing search in "OU=User
Accounts,DC=corp,DC=applause,DC=com" with filter
"(sAMAccountName=applause\5c5csystest)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: Search returned no results

It appears that proxy is the way to go, but it doesn't seem to be stripping
the realm once it's located.

Any pointers are appreciated. I've been working on this for days and just
can't resolve this portion.

-Matt


More information about the Freeradius-Users mailing list