Here is my ldap section:
ldap {
server = "10.1.1.29"
identity = dmadmin1
password = [EMAIL PROTECTED]
basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory
account
# policy check and intruder detection. This will work
*only if*
# FreeRADIUS is configured to build with --with-edir
option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
Verify first that you can infact query Active Directory with this
username/password combination.
There is a utility called ldapsearch. I believe it comes with OpenLDAP.
Use that to directly query AD for verification.
Here is an example:
ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass
This seeems to work:
[EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b
'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D
[EMAIL PROTECTED] -w Passw0rd
No such object (32)
Matched DN: DC=serverdm,DC=domain,DC=edu
Additional information: 0000208D: NameErr: DSID-031001CD, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=serverdm,DC=domain,DC=edu'
What does your "ldap" section in radiusd.conf look like? Can you please
provide copy?
This will make sure that the credentials are correct or not.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
