Here is my ldap section: ldap { server = "10.1.1.29" identity = dmadmin1 password = [EMAIL PROTECTED] basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # # edir_account_policy_check=no # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } Verify first that you can infact query Active Directory with this username/password combination. There is a utility called ldapsearch. I believe it comes with OpenLDAP. Use that to directly query AD for verification. Here is an example: ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass This seeems to work: [EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D [EMAIL PROTECTED] -w Passw0rd No such object (32) Matched DN: DC=serverdm,DC=domain,DC=edu Additional information: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=serverdm,DC=domain,DC=edu' What does your "ldap" section in radiusd.conf look like? Can you please provide copy? This will make sure that the credentials are correct or not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html