Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull:
Request:
/usr/local/bin/radtest guest "test" localhost 1 testing123
Sending Access-Request of id 104 to 127.0.0.1:1812
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = blade1.ci.bend.or.us
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20
Response:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
| Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM
|
|
With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf.
Here is what Richard and I put together to get group auth working, this may not be the 100% correct way but it worked for us and if anyone has any suggestions that would be great. The comments are my comments and since the formatting will probably be borked please don't just copy and paste this into your radiusd.conf:
ldap {
server = "FDC of your DC"
#Account in AD with the rights to query ad for the user account properties, in this example I have an account named freeradius located in
# my users container in the domain dc.domain.com that I am using to auth.
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"
#password of the above account
password = password
#Base dn to search from, usually the top of your domain, in this example it is dc.domain.com
basedn = "DC=dc,DC=domain,DC=com"
#This is the search filter to find the users account and then check it's group membership. You will see that I used the full path to the
# group including the conatiner it is located in. This example is for a group named RemoteUser in the users container in the domain
#dc.domain.com
filter ="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=dc,DC=domain,DC=com))"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
I commented out the groupmembership stuff, but I am not sure if that was a bad thing or not. Eventually I plan on writing this into a quick Howto and posting it again.
Let me know if this helps or if you have any further questions and again my thanks to Richard for all his help in getting this working!
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Steve OBrien
Sent: Wednesday, March 17, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Using freeradius to authenticate users to a Windows 2000 AD
I have seen threads pertaining to this but I cannot seem to get it to work. I would like to authenticate users via freeradius against a windows 2000 ad domain using LDAP. Is this possible if so anyone have a sample config??
TIA,
Steve
**********************************************************************
The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you.
**********************************************************************
