After I posted yesterday that I had Free Radius authenticating to AD successfully but I was interested in finding out how to do the authentication via group membership I recieved a number of requests for information on how I set up the basic Ldap authentication against Active-Drectory.
Let me make it clear that I am VERY new to Freeradius and I make no guarantees about this working for you and it is VERY likely that what I have done is incorrect in some way. If I am I hope that those who are more knowledgable will correct me. I cannot also make any claim that I "discovered" this, all this information was found from searching the web and this list and I hope that maybe I can compile any further suggestions and information into a basic HOWTO or FAQ for others. After saying that here a copy of the ldap section of my radiusd.conf. I added some comments in an attempt to clarify what I did, I did not include the rest since I have been playing with settings in the group areas and I don't think it will work. ldap { #This is the name of your AD server server = "DC.domain.com" #This is the account/password and the container for it you create in AD so free radius can login #For example I created an account named free radius using the password of password in my users #container in a domain named domain1.root.domain.com identity = "CN=freeradius,CN=Users,DC=domain1,DC=root,DC=domain,DC=com" password = password #This is the base dn for the ldap search to occur from, so using my example from above if my #domain was domain1.root.domain.com I would use DC=domain1,DC=root,DC=domain,DC=com basedn = "DC=domain1,DC=root,DC=domain,DC=com" #This is the search filter (I think...) and I had to find what Active Directory called the user id. #The default here did not seem to work for me, so I changed it to the item below and it works filter = "(sAMAccountName=%u)" ldap_debug = 0x0028 # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no Thank you all! Darren ********************************************************************** The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you. ********************************************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html