From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Hangjun He
Sent: Monday, 17 December 2007 18:32
To: FreeRadius users mailing list
Subject: Can I get group-name from Active-directory?
FreeRADIUS 1.1.6 + samba-tools + active-directory.
Can I get user's group-name by rlm_ldap? How?
Following is result of ldap-search.(Using ldap client)
# Paul Le, Users, test.com
dn: CN=Paul Le,CN=Users,DC=test,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Paul Le
sn: Levasseur
distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com
instanceType: 4
whenCreated: 20061118204047.0Z
whenChanged: 20061120041505.0Z
displayName: Paul Levasseur
uSNCreated: 53309
memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com
uSNChanged: 61454
name: Paul Levasseur
objectGUID:: TWcfmIP0S0KptrqNYMartA==
In radiusd.conf set the ldap group parameters:
groupname_attribute = memberOf
groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
If you prefer you can use sAMAccountName instead of cn, or even both:
groupmembership_filter =
"(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us
er-Name:-%{User-Name}}))"
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
