Checking Active Directory group membership with winbind

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Wed Aug 14 10:25:50 CEST 2019


Hi Alex

Am 14.08.2019 um 08:32 schrieb Alex Jordaan:
> Hi
> 
> I am busy setting up a freeradius system on CentOS7 , I can authenticate
> any AD user but want to only Authenticate if user belongs to a certain AD
> group
> 
> I found this Thread where it explained that winbind module in Freeradius
> can do it
> 
> http://freeradius.1045715.n5.nabble.com/Checking-Active-Directory-group-membership-with-winbind-td5741346.html
Looking at the first post from Matt Newton he refers to 3.1.x which now
is in development as the next major version 4.x.
> 
[...]
> I have the repo provided freeradius and samba and winbind installed and
> can't seem to find the winbind module it are referring to.....
Skimming over the thread I'd understand that since you are using the 3.0
release on CentOS, you have to use rlm_ldap instead.

It shouldn't be very difficult to configure. One of the roadblock to
check out is to verify in your AD if it makes use of nested groups in
your AD in which case you'll have to modify groupmembership_filter to
have the special OID filter for AD like so:

membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

Regards
Mathieu


More information about the Freeradius-Users mailing list