In the users file, what should I place so that all users trying to auth go
to my ldap (active directory) ?
DEFAULT Ldap-Group == (??????), Auth-Type := LDAP
Fall-Through = no
I'm trying to make my final project in my university.
The thing is:
I want to allow/deny wireless users (using windows XP) using an Access
Point, passing to Radius and querying the active directory.
What should I do?
Do I have to use certificates?
Thanks and regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kellogg,
Chris
Sent: sexta-feira, 13 de Agosto de 2004 17:03
To: [EMAIL PROTECTED]
Subject: RE: freeRADIUS and Microsoft Active Directory
This is great information, thanks!
By the way, I found that 'UserPrincipalName' did not work; I used
'sAMAccountName' with success.
It leads to a couple new questions, however. What about people who have
users broken into multiple OUs in their Active Directory? The BaseDN option
in radiusd.conf appears to focus the username search to the particular OU
container indicated; nothing underneath that OU will be checked. It's also
apparently not possible to just give the top container and have it search.
I'm not an AD expert, so I might be missing a simple solution.
I am also trying to verify membership in a specific group; LDAP can't find
it, and I'm wondering if anyone has enountered this before. I verified the
Group was in the same OU as indicated by basedn, and the user is a member of
that group.
What have other people done in these situations?
Chris.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, August 12, 2004 4:30 PM
To: [EMAIL PROTECTED]
Subject: AW: freeRADIUS and Microsoft Active Directory
Hello Hugo,
there is no problem to use FR with AD.
here is an example:
ldap {
server = your.ad.server.org
identity = "(some user, you dosnt need a special one, i
createt one only for asking ad. I have choosen the user principal name)"
password= (the password)
basedn = "dc=your,dc=company,dc=org"
# here you have to choose the filter, i use the
UserPrincipalName but you can choose something else to
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#if you want to check if the user is in a special group you
can use this
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
in the authorize and the authentication section you have to uncomment the
ldap entry.
Your usersfile shold look like this:
DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP
Fall-Through = no
Good Luck
Markus
-----Urspr�ngliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Hugo
Sousa
Gesendet: Donnerstag, 12. August 2004 10:44
An: [EMAIL PROTECTED]
Betreff: freeRADIUS and Microsoft Active Directory
Hi all,
Did any of you guys already configured a freeRADIUS with Microsoft Active
Directory?
I know that is possibile to configure "FR" with LDAP, so, I think that it's
also possible to do it with AD.
If you could reply me with some example of the .conf files to this
particular situation, that would be just great! :-) Thanls.
Best regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
