> -----Original Message----- > From: freeradius-users-bounces+jmoe=hatch.com...@lists.freeradius.org > [mailto:freeradius-users- > bounces+jmoe=hatch.com...@lists.freeradius.org] On Behalf Of Alexander > Clouter > Sent: Monday, 8 August 2011 6:14 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Returning attributes based on group membership using > NTLM_AUTH > > Moe, John <j...@hatch.com.au> wrote: > > > > Oh goodie, I'm getting somewhere. :-) > > > ...except on the top posting front <email-nazi/>. ;P
You know, I even thought of that before I sent it, but noticed that the reply to which I was replying to was top-posted, so I assumed that this list was weird in that respect. I should have known better. > > 1) So, I don't need to uncomment "ldap" in the authenticate section, > as it's > > not going to do the password validation, right? > > > Sounds right. > > > > 2) Do I just configure the module, put "ldap" in the authorize > section of > > sites-enables/default, and put "Ldap-Group" in the check-items? > > > Indeed. I wasn't sure if putting "ldap" into the authenticate would do some sort of pre-configured checking on its own, even without the Ldap-Group check-item, but the more I read, the more it looked like that wasn't the case. Glad to hear I had it straight. > > 3) How much/what options do I need to configure in the ldap module > config? > > I've configured server, basedn, filter, groupname_attribute, > > groupmembership_filter and groupmembership_attribute, but all I get > is > > "Operations error". If I add identity and secret, I get a "Referral" > failure. > > I've also tried the chase_referrals and rebind options, both with and > without > > the identity/secret optinos, but they don't seem to change anything. > > > What does the following give you from the command line: > ---- > ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name > sAMAccountName=username > ---- Operations error (1) Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece However, if I take out the "-x", I got an error saying my Kerberos ticket had expired. I did a kdestroy and kinit again, with the "-x", it still gave the error above. Without the "-x", I get what looks like a listing of all the account attributes. However, at the bottom, it says: # search reference ref: ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC =name # search result search: 5 result: 0 Success # numResponses: 3 # numEntries: 1 # numReferences: 1 So something still isn't right. > Until you can get 'ldapsearch' to work, you are unlikely to get > FreeRADIUS to work. From the debug output and your description, it > sounds more like a "how you are using LDAP" rather than "how FreeRADIUS > is using LDAP" problem. > > If you can get ldapsearch to display the attributes you are after, then > you can start to tinker with FreeRADIUS. Yeah, I kinda figured it was a "I'm not sure how to configure LDAP properly to talk to my AD". Thanks for the assistance. I'll have a play around with ldapsearch for a while and see if I can't figure this out. [ snip ] > If you have the stomach, a quick Google search takes you to the PHP > website[1] (ewwww) but there is a posting that you should find useful. > Looks like with Win2k3 you must have referrer following turned off and > you cannot search the *whole* base of your directory, you can only > search a sub-branch. I suspect the fix is nothing more than setting > 'basedn' to "ou=lusers,dc=my,dc=domain,dc=name". Well, as I said before, I tried with and without "chase_referrals" set. But I didn't mention that I tried using a BaseDN of the container the test user is in, rather than just the root of the domain, and it didn't change the result. I'll have a read through of that article you linked and see if it helps as well. And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can connect to the same host, bind using the same credentials, use the same basedn and search using the same filter, and I get results. So I'm not sure what I'm doing wrong. > Cheers > > [1] http://www.php.net/manual/en/function.ldap-search.php#45388 > > -- > Alexander Clouter > .sigmonster says: Without fools there would be no wisdom. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html OT and perhaps reply off list, but I'm curious why you say "ewwww" to PHP, and what you would use instead? John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 7777 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 ***************************** NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks. When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements. Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent. Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html