RE: AD Authentication Permissions

Wed, 09 Jan 2013 14:55:25 -0800 

I think my bind is working fine now, but my basedn = "o=My Org,c=UA"  field is 
still wrong. I'm still not sure of the syntax. Any suggestions? 


[ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to office.company.stc:389, authentication 0
  [ldap] bind as cn=user name,ou=Phoenix_Users,dc=company,dc=stc/Sup3rS3cret to 
office.company.stc:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter 
(uid=tbrady)
  [ldap] object not found
rlm_ldap::ldap_groupcmp: search failed
  [ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for tbrady
[ldap]  expand: %{Stripped-User-Name} -> 
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> tbrady
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=tbrady)
[ldap]  expand: ou=Phoenix_Users,dc=company,dc=stc -> 
ou=Phoenix_Users,dc=company,dc=stc
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter 
(uid=tbrady)
  [ldap] object not found
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound





T. Brady



-----Original Message-----
From: freeradius-users-bounces+tbrady=stc-comm....@lists.freeradius.org 
[mailto:freeradius-users-bounces+tbrady=stc-comm....@lists.freeradius.org] On 
Behalf Of Mathieu Simon
Sent: Wednesday, January 09, 2013 12:53 PM
To: FreeRadius users mailing list
Subject: Re: AD Authentication Permissions

Hi Tyler

Since I'm in a similar situation with AD but still learning, just general 
experience with other Applications from the *nix world authenticating against 
AD:

Your AD admin (you?) needs to create a basic user account, no domain admin 
needed - who can read the parts of your AD/LDAP tree as John said.
(We maintain a couple of srv-* accounts here to quickly distinguis between real 
user accounts)

You'll need the value of the distinguishedName attribute on AD, your Admin can 
give you this value, but it's hidden by default in the GUI.*

For "server=" (don't know of recommended for FR too): You could point to 
your.domainname, as this is a DNS record maintained by your AD-integrated 
nameservers who will point to all addresses of your current DCs.

BaseDN - yeah, look up a little what it is, it's the base your FR will start 
looking up inside the LDAP tree.

Regards
Mathieu



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to