After I posted yesterday that I had Free Radius authenticating to AD
successfully but I was interested in finding out how to do the
authentication via group membership I recieved a number of requests for
information on how I set up the basic Ldap authentication against
Active-Drectory.
Let me make it clear that I am VERY new to Freeradius and I make no
guarantees about this working for you and it is VERY likely that what I have
done is incorrect in some way. If I am I hope that those who are more
knowledgable will correct me. I cannot also make any claim that I
"discovered" this, all this information was found from searching the web and
this list and I hope that maybe I can compile any further suggestions and
information into a basic HOWTO or FAQ for others.
After saying that here a copy of the ldap section of my radiusd.conf. I
added some comments in an attempt to clarify what I did, I did not include
the rest since I have been playing with settings in the group areas and I
don't think it will work.
ldap {
#This is the name of your AD server
server = "DC.domain.com"
#This is the account/password and the container for it you
create in AD so free radius can login
#For example I created an account named free radius using
the password of password in my users
#container in a domain named domain1.root.domain.com
identity =
"CN=freeradius,CN=Users,DC=domain1,DC=root,DC=domain,DC=com"
password = password
#This is the base dn for the ldap search to occur from, so
using my example from above if my
#domain was domain1.root.domain.com I would use
DC=domain1,DC=root,DC=domain,DC=com
basedn = "DC=domain1,DC=root,DC=domain,DC=com"
#This is the search filter (I think...) and I had to find
what Active Directory called the user id.
#The default here did not seem to work for me, so I changed
it to the item below and it works
filter = "(sAMAccountName=%u)"
ldap_debug = 0x0028
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
Thank you all!
Darren
**********************************************************************
The information and any files contained in this e-mail message are property of
WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use
of the individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to the intended
recipient, you hereby are notified that use, dissemination, distribution or copying of
this information is strictly prohibited. If you have received this communication in
error, please immediately notify us by return e-mail and destroy the original message.
Thank you.
**********************************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
