Hello Andreas, > How to tell freeradius, that after successful MSCHAP auth against AD > it must browse AD via LDAP and check that te username belongs to > specified group?
I think, you need to write a script that makes sure that the user is part of a specific group. I would do that in perl, because it gets the job done fast. I copied and pasted such a script not so long time ago in csharp: using System.Collections.Generic; using System.DirectoryServices; namespace de.glanzmann.ActiveDirectoryGroupMembership { public class ActiveDirectoryGroupMembership { string ad_connection = "LDAP://ad.gmvl.de/DC=directory,DC=gmvl,DC=de"; string ad_username = "Administrator"; string ad_password = "password"; string RemoveADGroup(string name) { string[] ary = name.Split(new char[] { '\\' }); return ary[ary.Length - 1]; } string[] GetRolesForUser(string userName) { userName = RemoveADGroup(userName); return GetUserRoles(userName); } string[] GetUserRoles(string userName) { DirectoryEntry obEntry = new DirectoryEntry(ad_connection, ad_username, ad_password); DirectorySearcher srch = new DirectorySearcher(obEntry, "(sAMAccountName=" + userName + ")"); SearchResult res = srch.FindOne(); Dictionary<string, string> dictionary = new Dictionary<string, string>(); if (res != null) { DirectoryEntry obUser = new DirectoryEntry(res.Path, ad_username, ad_password); string rootPath = ad_connection; rootPath = rootPath.Substring(0, rootPath.LastIndexOf(@"/") + 1); GetMemberships(obUser, dictionary, rootPath); } string[] ary = new string[dictionary.Count]; dictionary.Values.CopyTo(ary, 0); return ary; } void GetMemberships(DirectoryEntry entry, Dictionary<string, string> dictionary, string rootPath) { List<DirectoryEntry> childrenToCheck = new List<DirectoryEntry>(); PropertyValueCollection children = entry.Properties["memberOf"]; foreach (string childDN in children) { if (! dictionary.ContainsKey(childDN)) { DirectoryEntry obGpEntry = new DirectoryEntry(rootPath + childDN, ad_username, ad_password); string groupName = obGpEntry.Properties["sAMAccountName"].Value.ToString(); dictionary.Add(childDN, groupName); childrenToCheck.Add(obGpEntry); } } foreach (DirectoryEntry child in childrenToCheck) { GetMemberships(child, dictionary, rootPath); } } public bool IsUserInRole(string username, string roleName) { string[] ary = GetRolesForUser(username); foreach (string s in ary) { if (roleName.ToLower() == s.ToLower()) { return true; } } return false; } } } You can copy the logic and put it into perl. Source: http://www.codeproject.com/Articles/36670/Active-Directory-Forms-Authentication-User-IsInRol Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html