ldap group checking against active directory

Sun, 07 May 2006 15:22:20 -0700

Hello mailing list!

 

I have tried to search the archive and the web for the answer to my question but I am unable to find the answer…..

 

I’m sure someone here has run into this before.

 

I am attempting to setup the good old freeradius + active directory + access point to get peap going scenario.

 

I have freeradius setup fine to use ldap to auth the user, and it works.

 

I am attempting to setup finer access control (well really simple) to check if the user is a member of a group before allowing access.

 

Here are some configs:

 

radiusd.conf

 

      ldap {

               

                server = "domaincontroller.my.domain.com"

                identity = "adreader"

                password = "test1234"

                basedn = "cn=users,dc=my,dc=domain,dc=com"

                filter = "(sAMAccountName=%u)"

                port = 636

                start_tls = no

                tls_mode = no

                # Mapping of RADIUS dictionary attributes to LDAP

                # directory attributes.

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                password_attribute = userPassword

 

                groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"

                groupmembership_attribute = "memberOf"

                timeout = 4

                timelimit = 3

                net_timeout = 1

        }

 

In my users file all I have is:

 

DEFAULT Ldap-Group == "badgroup", Auth-Type := Reject

       Reply-Message = "Sorry, you are not allowed to have access"

 

When I use NTRadPing to test with a user that is in “badgroup” I still get an Access-Accept back.

 

I can do an ldap search using the groupmembership_filter and I get back all the groups my test user is in so I know that isn’t the problem. Of course when I do my search I replace the %{Ldap-UserDn} with the actual “cn=username,<what I have for basedn>”

 

Also I have the groupmembership_attribute defined because from what I gather from the docs, it is used if the groupmembership filter fails.

 

Anywho, when I send an auth request while watching the debug output I don’t see anything about checking for group/groupmembership/etc.

 

If I change my filter “filter = "(sAMAccountName=%u)" to also check for the group name, everything will work, but of course I would like to use the users file.

 

I’ve got TLS set to no and port set to 636 because I am using a crap-tacular windows 2000 domain, which doesn’t support TLS L

 

I think I am missing something or something isn’t quite right. Anyone have any ideas, or has anyone gotten ldap group checking to work against active directory??

 

Thanks

--

Chris Liles

System Analyst

Air2Web, Inc.

1230 Peachtree St. N.E.

12th Floor

Atlanta, GA 30309

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to