On 09/12/2012 08:03 PM, Craig Simons wrote: > Basically, our AD permission structure is such that not all OU > containers are "trusted" enough to allow wireless authentication. So, I > only want to allow authentication based on user entries in a specific OU > as opposed to users who are members of a group (not quite the same thing > I'm led to believe).
Yes, I think these are different things. The LDAP tree structure AD uses tells where the users can be found and the user then has e.g., group membership as attribute. > We (currently) run Radiator on Windows servers and therefore use the LSA > module for AD authentication. The manual doesn't have any specific > configuration options for this module that appear to be able to limit > searches. The AD directory tree structure is not visible via LSA API. We thought about two options: 1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if the user has a DN (location in the tree) with allowed OU component. This does require configuration work and maybe hooks too, but should be possible. 2. Create a new group and place all users that are not allowed to use wireless LAN in that group. We could then add 'BlacklistGroup' functionality in AuthBy LSA. If a user is a member of blacklisted group, access would not be allowed. Do you think option 2 would solve your problem? Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
