(RADIATOR) Radiator and Active Directory
Stuart Kendrick
skendric at fhcrc.org
Thu Aug 2 08:37:57 CDT 2007
hi gavin,
and that approach sends the usernames/passwords in clear-text over the
wire, from the Radiator boxes to port 3268 on the AD boxes
which is not the worst thing in the world to do. but which gives my
security colleagues the heebie-jeebies when i mention it to them
-do you have any ideas on how to encrypt that path way?
-and, conceptually, what are you doing with 'ldap_groups.pl'? i'm
wanting to better understand what kind of fancy decision-making i can
implement using hooks, and i'm guessing that you're doing something
fancy here
--sk
stuart kendrick
fhcrc
Gavin Norman wrote:
> We've managed to have our Radius server authenticate off our Active
> Directory infrastructure, even with group memberships. You will find our
> original posts at
> http://www.nabble.com/forum/ViewPost.jtp?post=10354268&framed=y
>
> We're using the LDAP2 module, Here is the AuthBy context:
>
> <AuthBy LDAP2>
> Identifier AuthByLDAP
>
> #Debug 255
>
> # LDAP bind
> Host dc.mydomain.com.au
> HoldServerConnection
> Timeout 4
> Port 3268
> AuthDN cn=Service Account,cn=Users,dc=my,dc=domain,dc=com
> ,dc=au
> AuthPassword servicepass
>
> # The client authentication
> ServerChecksPassword
> UsernameAttr sAMAccountName
> BaseDN ou=All Users,dc=my,dc=domain,dc=com,dc=au
> AuthAttrDef sAMAccountName,GENERIC,request
> AuthAttrDef memberOf,GENERIC,request
> PostSearchHook file:"%D/hooks/ldap_groups.pl"
> </AuthBy>
>
> Hope this helps.
>
> Gavin Norman
> Helpdesk Administrator
>
> Europcar Asia-Pacific
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Hugh Irvine
> Sent: Thursday, 2 August 2007 8:40 AM
> To: kem at cse.psu.edu
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Radiator and Active Directory
>
>
> Hello Kem -
>
> You would use something like this:
>
>
> <Handler .....>
>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy LDAP2>
> .....
> SearchFilter .......
> ......
> </AuthBy>
>
> <AuthBy KRB5>
> .....
> </AuthBy>
>
> </Handler>
>
>
> See section 5.36.15 in the Radiator 3.17.1 reference manual ("doc/
> ref.html").
>
> regards
>
> Hugh
>
>
>
> On 2 Aug 2007, at 01:51, Kem Hartley wrote:
>
>> Hello,
>> I'm trying to use radiator to authenticate remote access vpn
>> users. Logon credentials are only userid and password. So a user
>> attempts to log on using their userid, userXYZ with password,
>> somepassword. I would like radiator to check whether or not
>> userXYZ is a staff or faculty member based on ldap attribute
>> "description". If the check succeeds, it validates userid and
>> password via AuthBy KRB5. Is there a way to do this? I've got the
>> kerberos part working, but not the ldap check.
>>
>> Thanks in advance.
>>
>> --Kem
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list