Hello mailing list! I have tried to search the archive and the web for the
answer to my question but I am unable to find the answer….. I’m sure someone here has run into this before. I am attempting to setup the good old freeradius
+ active directory + access point to get peap going scenario. I have freeradius setup fine to
use ldap to auth the user, and it works. I am attempting to setup finer access control (well really
simple) to check if the user is a member of a group before allowing access. Here are some configs: radiusd.conf ldap { server = "domaincontroller.my.domain.com" identity = "adreader" password = "test1234" basedn = "cn=users,dc=my,dc=domain,dc=com" filter = "(sAMAccountName=%u)" port = 636 start_tls =
no tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute
= "memberOf" timeout = 4 timelimit = 3 net_timeout = 1 } In my users file all I have is: DEFAULT Ldap-Group == "badgroup", Auth-Type := Reject Reply-Message =
"Sorry, you are not allowed to have access" When I use NTRadPing
to test with a user that is in “badgroup”
I still get an Access-Accept back. I can do an ldap search using the groupmembership_filter and I get back all the groups my
test user is in so I know that isn’t the problem. Of course when I do my
search I replace the %{Ldap-UserDn} with the actual “cn=username,<what
I have for basedn>” Also I have the groupmembership_attribute
defined because from what I gather from the docs, it is used if the groupmembership filter fails. Anywho, when I
send an auth request while watching the debug output I don’t see anything
about checking for group/groupmembership/etc. If I change my filter “filter = "(sAMAccountName=%u)" to also check for the group name, everything
will work, but of course I would like to use the users file. I’ve got TLS set to no and port set to 636 because I
am using a crap-tacular windows 2000 domain, which
doesn’t support TLS L I think I am missing something or something isn’t
quite right. Anyone have any ideas, or has anyone gotten ldap
group checking to work against active directory?? Thanks -- System Analyst Air2Web, Inc. |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html