The only trouble I have with IAS is that most of the users are contained in a seperate AD forest. I have a 2-way trust with another organization. I can authenticate users of the trusted org from my domain over LDAP... however, I can't rely on the trusted domain's "Dial In" settings for IAS. Which is why I'm looking for a way to use LDAP only. I've tried, as you suggested, proxying requests to my AD IAS, but I suppose my remote access policy has issues of its own.
--- ho <[EMAIL PROTECTED]> wrote: > Hi, > > i've tried a lot, but at the moment we have got a > very smart solution to > combine the flexibility of freeradius with > authentication of central AD: > > 1) setting up an ms ias server, which is only there > for authenticating, i > have got only one policy! > 2) setting up freeradius to proxy the > authentication-requests to the ias. > 3) Authorization still remains on the freeradius > 4) Accounting with freeradius/mysql > > I've tried to use samba but AD-Gurus were not amused > to integrate a > samba-box into the AD ;-) > > For me it was the "perfect" solution. > > ho > > > ----- Original Message ----- > From: "Josh" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, May 24, 2006 6:36 PM > Subject: Yet Another AD Question > > > > I've crawled the web for info and tried numerous > > things to get FreeRadius authenticating users with > a > > 2003 Active Directory. > > > > I'm currently running FreeRadius (with MySQL) on > RHEL4 > > using the RPMs included with RHEL4: > > > > freeradius-1.0.1-3.RHEL4 > > freeradius-mysql-1.0.1-3.RHEL4 > > > > Running radiusd in debug mode (-X) shows a > successful > > bind to the AD server. I then can see rlm_ldap > > performing a search and then eventually fails: > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > > <snip> > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in > > cn=Users,dc=org,dc=my,dc=domain,dc=com, with > filter > > cn=administrator > > ldap_search > > put_filter: "cn=administrator" > > put_filter: default > > put_simple_filter: "cn=administrator" > > ldap_send_initial_request > > ldap_send_server_request > > ldap_result msgid 2 > > ldap_chkResponseList for msgid=2, all=1 > > ldap_chkResponseList returns NULL > > wait4msg (timeout 4 sec, 0 usec), msgid 2 > > wait4msg continue, msgid 2, all 1 > > ** Connections: > > * host: org.my.domain.com port: 389 (default) > > refcnt: 2 status: Connected > > last used: Wed May 24 12:14:51 2006 > > > > ** Outstanding Requests: > > * msgid 2, origid 2, status InProgress > > outstanding referrals 0, parent count 0 > > ** Response Queue: > > Empty > > ldap_chkResponseList for msgid=2, all=1 > > ldap_chkResponseList returns NULL > > ldap_int_select > > read1msg: msgid 2, all 1 > > ldap_read: message type search-result msgid 2, > > original id 2 > > ldap_chase_referrals > > read1msg: V2 referral chased, mark request > completed, > > id = 2 > > new result: res_errno: 1, res_error: <00000000: > > LdapErr: DSID-0C090627, comment: In order to > perform > > this operation a successful bind must be completed > on > > the connection., data 0, vece>, res_matched: <> > > read1msg: 0 new referrals > > read1msg: mark request completed, id = 2 > > request 2 done > > res_errno: 1, res_error: <00000000: LdapErr: > > DSID-0C090627, comment: In order to perform this > > operation a successful bind must be completed on > the > > connection., data 0, vece>, res_matched: <> > > ldap_free_request (origid 2, msgid 2) > > ldap_free_connection > > ldap_free_connection: refcnt 1 > > ldap_parse_result > > ldap_err2string > > rlm_ldap: ldap_search() failed: Operations error > > ldap_msgfree > > rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authenticate]: module "ldap" returns fail > > for request 0 > > modcall: group authenticate returns fail for > request 0 > > auth: Failed to validate the user. > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > > I'm not sure if I'm using the wrong ldap search or > > what. Here's my ldap section of radiusd.conf: > > > > server = "org.my.domain.com" > > ldap_debug = 0xFFFF > > basedn = > "cn=Users,dc=org,dc=my,dc=domain,dc=com" > > filter = "cn=%u" > > start_tls = no > > access_attr = "dialupAccess" > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > > > > > Although I'd like to avoid it, but, would it be > easier > > to install SAMBA on the RHES4 box and connect > SAMBA to > > AD and then connect FreeRadius to SAMBA? I've > also > > come across possible issues with certain versions > of > > openldap and 2003 AD? > > > > As soon as this part is working I'll be > authenticating > > wireless users (using Cisco APs) as well. But I > think > > that should run fairly smooth as soon as > FreeRadius > > and AD are talking the same language. > > > > I hope there are some Radius/AD gurus out there? > > > > Many thanks in advance... > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
