Errr, after looking at the code more carefully (and after a full nights sleep), I realized that I was *way* off the mark on this!
The setup below will bind and open the actual domain object, not the user object. Although I guess using the UPN to authenticate the OpenDSObject call against the domain is a start, it's not really where we want to be in order to check anything at all about the user (since we haven't opened the user object, just the domain object). I'm not sure why I didn't see this yesterday... >From what I can tell, the only way to use a UPN is to use a ADODB search of the AD. I'm not a Perl expert, and really new to ADSI, but I may just try to write my own handler for this. Anybody else have interest? - MBM -----Original Message----- From: Motley, Mark [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 5:19 PM To: '[EMAIL PROTECTED]' Subject: (RADIATOR) Win2k, ADSI, and group membership I'm in the process of evaluating Radiator for our environment. During this time, I've figured something out that may be helpful to others. I've also encountered a problem that I hope I can get help with... kind of a give-take situation here folks! ;-) My goal is to get Radiator to authenticate to our Win2k Active Directory tree. I'm running Radiator on a Win2k server. We have users strung throughout various OU's in the tree and no real standard on CN names (some have spaces and some have dots between the first & last names). Hence the only thing I can really grab onto is the princpleName (UPN, in the RFC822 email format). I've been able to use this as follows: BindString LDAP://server/dc=et,dc=rootad,dc=com AuthUser [EMAIL PROTECTED] # We'll use normal NTLM auth (AuthFlags=1, which is default) # AuthFlags 0 Here I'm specifying the root of the domain, and using the UPN as a username (adding the domain name part). Based on my information from MSDN, looks like GetADObject supports the UPN, so we're in business and it works great. I know somebody had asked about this before, so hopefully this will help. Now, my problem. Right now, we restrict access to our dial-up service via Win2k group membership. In other words, if a user wants dial-up access, we add them to a specific Win2k group (e.g. "DialUp Users") which grants them the access. This works fine using CiscoSecure ACS (our current RADIUS server) by mapping the WinNT group to a ACS group then allowing that group access to the NAS. How in the devil do you do this with Radiator?? I just can't figure this out... Any help is appreciated, and thanks in advance... - MBM === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
