Yohoo!
Yes! I did it!
;)
My freeradius
(1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server).
Without ntlm_auth!
Below I have added a
short summary how I realized it here.
But now I have a
question and I can't solve it for myself. I want to retreive some group
informations from AD. In an users account I find several values "memberOf" and
the DN of the group, where the user belong to.
Now I want to give
access via freeradius only to some special groups.
I have figuered out,
that there are these parameters:
groupname_attribute,
groupmembership_filter and groupmembership_attribute
combined with some
entries in the users-file.
I've read the
doc/rlm_ldap, but I didn't find any deeper hints or
explanation.
Questions:
1. Where can I find
some docs about the %{...} Values in groupmebership_filter? Which one should I
use in combination with my AD?
2. Which value
should I use then in the users-file?
3. Is there anyone
who can give a little help in further authenticating with
group?
-------------short
summary how to authenticate vs. ActiveDirectory
-----------------------
/etc/raddb/radiusd.conf
[...]
ldap
{
#servername with an AD-Server running Win2003Srv
#servername with an AD-Server running Win2003Srv
server = "adsrv.qsc.de"
#The Useraccount for
querying AD (anonymous query is
disabled)
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
#The
password for the
Query-User
password = 'xxxxxx'
password = 'xxxxxx'
#base
DN for user search; all our Users are in ou=employees. Without this
"ou=...", no user will be found. \
#I don't
understand
why
basedn = "ou=employees,dc=qsc,dc=de"
basedn = "ou=employees,dc=qsc,dc=de"
#
I've copied the below string, because I didn't understand the meanings of the
%{...}
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
# I had to increase the timeouts
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
# I had to increase the timeouts
timeout =
40
timelimit = 30
net_timeout = 10
timelimit = 30
net_timeout = 10
}
The users-file left
on default, no changes.
I hope, I could help
some people trying to use AD for radius.
And, I hope, someone
will help me with my user-problem.
Greets
Christian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html