> So far I have the ldap component querying AD correctly and I have the > ntlm_auth component doing the same and each individually passing from a > radtest. My question now revolves around passing the groups in our > setup and if this is even possible using the protocols listed above. > Unfortunately, we don't have the option to move away from these > protocols in our environment. I'm a bit of a freeradius noob so any > help is appreciated.
I'm not using NTLM for auth, but I am enforcing AD Group access What I did was fairly simple. I wanted users to either be admins or not (and this is just an example usage): users: DEFAULT Ldap-Group == "grp-admin-admin", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No DEFAULT Ldap-Group == "Operator", Auth-Type = pam Reply-Message = "Hello (operator), %{User-Name}", Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "you are not authorized" My ldap module config looks like (I have a patched version for exec callouts on string fields. The patch can be found posted to the list): ldap { server = "myDC" port = 636 identity = "exec:/path/to/passgetter LDAP.user" password = "exec:/path/to/passgetter LDAP.pwd" basedn = "dc=myorg,dc=myco,dc=org" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode= yes tls { start_tls = no cacertfile = /path/to/my/cacerts require_cert = "never" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" chase_referrals = no rebind = no set_auth_type = no ldap_debug = 0x8000 } And then my authorize config (in my site-enabled/default): authorize { preprocess auth_log files ldap } R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html