Thanks for the very detailed instructions. I will attempt this shortly (bought rad & ad servers home for weekend study).
Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers <[EMAIL PROTECTED]> wrote: > I haven't been following your (quite extensive) queries, so apologies if > I've missed something fundamental. > > I honestly don't know why this is proving so difficult. I've just tested > this against our own 2k3 AD service, and although I'm pretty familiar > with FR it took under 5 minutes. Try following the instructions below. > These were tested with FreeRadius 1.1.4 > > 1. First, create or locate an existing account which FreeRadius can bind > and do it's searches as. Record the following variables: > > SEARCHDN=<the DN of the account> > SEARCHPW=<the password> > BASEDN=<the DN below which all your accounts live in AD> > ADHOST=<hostname of the AD controller you'll search against> > > For example, these might be: > > SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com > SEARCHPW=blahblah > BASEDN=OU=My Site,DC=mysite,DC=com > > 2. Next, take the default "radiusd.conf" > > 3. Find the start of the modules section: > > modules { > ... > > Delete this line and all the following lines > > 4. Insert the following config: > > modules { > ldap { > server = "$ADHOST" > identity = "$SEARCHDN" > password = "$SEARCHPW" > > basedn = "$BASEDN" > filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > > preprocess { > huntgroups = ${confdir}/huntgroups > hints = ${confdir}/hints > > with_ascend_hack = no > ascend_channels_per_line = 23 > > with_ntdomain_hack = no > with_specialix_jetstream_hack = no > with_cisco_vsa_hack = no > } > > detail { > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > detailperm = 0644 > } > > } > > instantiate { > } > > authorize { > preprocess > > ldap > } > > authenticate { > Auth-Type LDAP { > ldap > } > } > > > preacct { > preprocess > } > > accounting { > detail > } > > > session { > } > > post-auth { > } > > pre-proxy { > } > > post-proxy { > } > > 5. Start the server with -X > > 6. Run "radtest" to send a checking PAP request > > It should work. > > The above config is the ABSOLUTE BARE MINIMUM server config which will > check PAP requests ONLY against an AD LDAP server. I do NOT recommend > you go into service with this config. Try to look at it, understand how > it's doing what it's doing, *then* start again with the default > FreeRadius config and make the absolute minimum changes to get back to > that point. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html