Hello Chris, We use users in different ou's and it works fine. You have to use a basedn at the top of your ad.
Markus -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kellogg, Chris Gesendet: Freitag, 13. August 2004 18:03 An: [EMAIL PROTECTED] Betreff: RE: freeRADIUS and Microsoft Active Directory This is great information, thanks! By the way, I found that 'UserPrincipalName' did not work; I used 'sAMAccountName' with success. It leads to a couple new questions, however. What about people who have users broken into multiple OUs in their Active Directory? The BaseDN option in radiusd.conf appears to focus the username search to the particular OU container indicated; nothing underneath that OU will be checked. It's also apparently not possible to just give the top container and have it search. I'm not an AD expert, so I might be missing a simple solution. I am also trying to verify membership in a specific group; LDAP can't find it, and I'm wondering if anyone has enountered this before. I verified the Group was in the same OU as indicated by basedn, and the user is a member of that group. What have other people done in these situations? Chris. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 4:30 PM To: [EMAIL PROTECTED] Subject: AW: freeRADIUS and Microsoft Active Directory Hello Hugo, there is no problem to use FR with AD. here is an example: ldap { server = your.ad.server.org identity = "(some user, you dosnt need a special one, i createt one only for asking ad. I have choosen the user principal name)" password= (the password) basedn = "dc=your,dc=company,dc=org" # here you have to choose the filter, i use the UserPrincipalName but you can choose something else to filter = "(UserPrincipalName=%u)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #if you want to check if the user is in a special group you can use this groupmembership_filter = "(member=%{Ldap-UserDn})" timeout = 4 timelimit = 3 net_timeout = 1 } in the authorize and the authentication section you have to uncomment the ldap entry. Your usersfile shold look like this: DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP Fall-Through = no Good Luck Markus -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo Sousa Gesendet: Donnerstag, 12. August 2004 10:44 An: [EMAIL PROTECTED] Betreff: freeRADIUS and Microsoft Active Directory Hi all, Did any of you guys already configured a freeRADIUS with Microsoft Active Directory? I know that is possibile to configure "FR" with LDAP, so, I think that it's also possible to do it with AD. If you could reply me with some example of the .conf files to this particular situation, that would be just great! :-) Thanls. Best regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
