Le lun 14/11/2005 à 12:13, [EMAIL PROTECTED] a écrit :
Send Freeradius-Users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius vs. ActiveDirectory (Jonathan De Graeve)
2. Re: Freeradius vs. ActiveDirectory ([EMAIL PROTECTED])
3. AW: Freeradius vs. ActiveDirectory (V?lker)
4. RE: Failed attempts log (Thierry Hoferlin)
5. AW: Freeradius vs. ActiveDirectory (V?lker)
From: Jonathan De Graeve <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Subject: RE: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 11:36:45 +0100
What about the password?
I thought this was a kerberos one and didn’t reside into the ldap itself?
--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]
---------
Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite
---------
Van:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Völker, Christian
Verzonden: maandag 14 november 2005 11:22
Aan: [email protected]
Onderwerp: Freeradius vs. ActiveDirectory
Yohoo!
Yes! I did it! ;)
My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server). Without ntlm_auth!
Below I have added a short summary how I realized it here.
But now I have a question and I can't solve it for myself. I want to retreive some group informations from AD. In an users account I find several values "memberOf" and the DN of the group, where the user belong to.
Now I want to give access via freeradius only to some special groups.
I have figuered out, that there are these parameters:
groupname_attribute, groupmembership_filter and groupmembership_attribute
combined with some entries in the users-file.
I've read the doc/rlm_ldap, but I didn't find any deeper hints or explanation.
Questions:
1. Where can I find some docs about the %{...} Values in groupmebership_filter? Which one should I use in combination with my AD?
2. Which value should I use then in the users-file?
3. Is there anyone who can give a little help in further authenticating with group?
-------------short summary how to authenticate vs. ActiveDirectory -----------------------
/etc/raddb/radiusd.conf
[...]
ldap {
#servername with an AD-Server running Win2003Srv
server = "adsrv.qsc.de"
#The Useraccount for querying AD (anonymous query is disabled)
identity = "cn=man,ou=ServiceAdmins,dc=qsc,dc=de"
#The password for the Query-User
password = 'xxxxxx'
#base DN for user search; all our Users are in ou=employees. Without this "ou=...", no user will be found. \
#I don't understand why
basedn = "ou=employees,dc=qsc,dc=de"
# I've copied the below string, because I didn't understand the meanings of the %{...}
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
# I had to increase the timeouts
timeout = 40
timelimit = 30
net_timeout = 10
}
The users-file left on default, no changes.
I hope, I could help some people trying to use AD for radius.
And, I hope, someone will help me with my user-problem.
Greets
Christian
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list <[email protected]>
Subject: Re: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 10:42:07 +0000
Hi,
> I hope, I could help some people trying to use AD for radius.
there is another way - use the krb module to authenticate against AD
alan
From: "Völker, Christian" <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Subject: AW: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 11:50:10 +0100
Yohoo!
> What about the password?
Which password? The User-Password? Or the shared secret?
The Password for the Proxy-User is written down in the radiusd.conf.
> I thought this was a kerberos one and didn't reside into the ldap itself?
Kerberos ist installed, but I don't use it (I think so! ;-))
Greets
Christian
From: Thierry Hoferlin <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Subject: RE: Failed attempts log
Date: Mon, 14 Nov 2005 11:50:39 +0100
Thanks Nicolas,
It works fine.
Just for info, the attributes to use in the mssql.conf file are
"postauth_table" and "postauth_query"
With the following radius configuration :
post-auth {
Post-Auth-Type REJECT {
sql
}
}
Regards,
Thierry.
>Thierry Hoferlin wrote:
>
>> I've configured a freeradius 1.0.5 with MSSQL authentification.
>> It works fine.
>>
>> Is there a way to log failed authentification records to SQL ?
>
>Please don't post HTML on the list.
>
>Search the archives for detailed instructions, but the general idea is
to use the module "sql" in section "post-auth".
>
>http://freeradius.org/radiusd/doc/Post-Auth-Type
>
>--
>Nicolas Baradakis
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
From: "Völker, Christian" <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Subject: AW: Freeradius vs. ActiveDirectory
Date: Mon, 14 Nov 2005 11:51:26 +0100
Yohoo!
>> I hope, I could help some people trying to use AD for radius.
>there is another way - use the krb module to authenticate against AD
Are there any advantages/ disadvantages ldap <-> krb5?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello.
I made a Freeradius 1.04 working configuration to authenticate users using krb5. It works without any problem and If you look to Microsoft Documentation, you will see that it recommands using krb5 for Alien(Unix...)/Microsoft cross authentication.
When using Ldap you must "translate" standards attributes into microsoft ones without many warranties that it will keep working on the next patch.I know microsoft wants to make its AD more compatible to standards but for the moment I still wait and see.
In the other hand, LDAP is a much more powerful protocol that do not only deal with authentication while kerberos 's only goal is authentication. Maybe powerful users may use LDAP powerfullness through Radius. I do not and I'm not able to help you in that way.
If someone is interrested in using Radius<->krb5<->AD, I may (I have a very poor english and I'm not a radius "hacker") help him.
Just post at this mailing list that you are interested in it and I will answer as soon as I can.
Bye.
Stephane
|
|
