Hi. You only need the "Ldap-Group == <group>" portion if you want to restrict authentication to those who are a member of "<group>". Otherwise, you just leave that option out.
Chris. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Hugo Sousa > Sent: Friday, August 13, 2004 12:01 PM > To: [EMAIL PROTECTED] > Subject: RE: freeRADIUS and Microsoft Active Directory > > > In the users file, what should I place so that all users > trying to auth go to my ldap (active directory) ? > > DEFAULT Ldap-Group == (??????), Auth-Type := LDAP > Fall-Through = no > > I'm trying to make my final project in my university. > > The thing is: > > I want to allow/deny wireless users (using windows XP) using > an Access Point, passing to Radius and querying the active directory. > > What should I do? > > Do I have to use certificates? > > > Thanks and regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Kellogg, Chris > Sent: sexta-feira, 13 de Agosto de 2004 17:03 > To: [EMAIL PROTECTED] > Subject: RE: freeRADIUS and Microsoft Active Directory > > This is great information, thanks! > > By the way, I found that 'UserPrincipalName' did not work; I > used 'sAMAccountName' with success. > > It leads to a couple new questions, however. What about > people who have users broken into multiple OUs in their > Active Directory? The BaseDN option in radiusd.conf appears > to focus the username search to the particular OU container > indicated; nothing underneath that OU will be checked. It's > also apparently not possible to just give the top container > and have it search. > > I'm not an AD expert, so I might be missing a simple solution. > > I am also trying to verify membership in a specific group; > LDAP can't find it, and I'm wondering if anyone has > enountered this before. I verified the Group was in the same > OU as indicated by basedn, and the user is a member of that group. > > What have other people done in these situations? > > Chris. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: Thursday, August 12, 2004 4:30 PM > To: [EMAIL PROTECTED] > Subject: AW: freeRADIUS and Microsoft Active Directory > > > Hello Hugo, > > there is no problem to use FR with AD. > > here is an example: > > ldap { > server = your.ad.server.org > identity = "(some user, you dosnt need a > special one, i createt one only for asking ad. I have choosen > the user principal name)" > password= (the password) > basedn = "dc=your,dc=company,dc=org" > # here you have to choose the filter, i use > the UserPrincipalName but you can choose something else to > filter = "(UserPrincipalName=%u)" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be > used with normal > # ldap connections instead of using ldaps > (port 689) connections > start_tls = no > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > #if you want to check if the user is in a > special group you can use this > groupmembership_filter = "(member=%{Ldap-UserDn})" > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > in the authorize and the authentication section you have to > uncomment the ldap entry. > > > Your usersfile shold look like this: > > DEFAULT Ldap-Group == (groupname to check for), > Auth-Type := LDAP > Fall-Through = no > > > Good Luck > > Markus > > > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Hugo Sousa > Gesendet: Donnerstag, 12. August 2004 10:44 > An: [EMAIL PROTECTED] > Betreff: freeRADIUS and Microsoft Active Directory > > > Hi all, > Did any of you guys already configured a freeRADIUS with > Microsoft Active Directory? > I know that is possibile to configure "FR" with LDAP, so, I > think that it's also possible to do it with AD. > If you could reply me with some example of the .conf files to > this particular situation, that would be just great! :-) Thanls. > > Best regards, > > Hugo Sousa > SysAdmin / NetworkAdmin > http://www.netsystems.pt > Portugal > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List > info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
