Dusty, Thanks. I spent some time working at it from the LDAP angle and it still fails with the ldapsearch. I will do some more reading/research to get that working first, then if I have problems getting it work with FreeRADIUS, I will get back with you all. (If you have some good recommendations on howto's or other references getting OpenLDAP and MS AD to talk, I would appreciate the suggestions.)
Thanks for the pointers. --Bill >From Dustin Doris on Sat, 29 May 2004 10:40:55 -0400 (EDT) Hmmm... Perhaps you should double-check just to make sure. Do you have access to a machine with openldap on it? You could use the ldapsearch command to attempt a bind to AD. It would look something like this: $ ldapsearch -h win-dc.win-dom.ctc.edu -D "CN=User\\, Asteroid,OU=System Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" -w whateveryourpasswordis -b "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" "(SamAccountName=jdummy)" -Dusty On Fri, 28 May 2004, Bill Shaver wrote: > Thanks for the reply. Yes, it is a goofy name, but I am told it does > have read access on AD (it is in the 'domain user' group). > > From: Dustin Doris <[EMAIL PROTECTED]> on Fri, 28 May 2004 13:16:20 -0400 > > > > Is "CN=User\\, Asteroid,OU=System Accounts..." a valid user with read > > access to AD? > > > > > It seems that this should not be so hard; I am sure I am making a stupid > > > mistake somewhere, but I just don't see it. > > > > > > I am attempting to set up freeradius 0.9.3 (redhat) to use (initially) one > > > of several Windows 2003 AD for authentication. I am, however, unable to > > > get the first one to work. I have attached what I think are the relevant > > > log and configuration sections. The Windows admin is not seeing any > > > errors in her logs. On the radius side, it seems that radiusd is not able to > > > negotiate a connection that the ldap server will accept. > > > > > > Any recommendations would be appreciated. > > > --Bill > > > > > > > > > --- ldap config from radiusd.conf > > > > > > ldap { > > > server = "win-dc.win-dom.ctc.edu" > > > port = 636 > > > identity = "CN=User\\, Asteroid,OU=System > > > Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" > > > > ** Is "CN=User\\, Asteroid,OU=System Accounts... a valid user with read > > access to AD? > > > > > password = "****" > > > start_tls = yes > > > basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" > > > filter = "(SamAccountName=%u)" > > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > ldap_connections_number = 5 > > > timeout = 4 > > > timelimit = 3 > > > net_timeout = 1 > > > ldap_debug = 0x0028 > > > } > <<snipped>> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html