(RADIATOR) Radiator and Active Directory

Hugh Irvine hugh at open.com.au
Thu Aug 2 16:03:41 CDT 2007 

Hello Stuart -

Here is the URL which includes the hook code:

	http://www.nabble.com/%28RADIATOR%29-LDAP-Auth-against-Microsoft- 
AD---limiting-access-by-AD-Group-tf3702627.html#a10354268

BTW - the alternative is to run an instance of Radiator on a Windows  
box and use a RADSEC tunnel from the main Radiator host to the  
Windows host. The instance of Radiator on the Windows box can then  
use the AuthBy LSA clause which is much more flexible.

See sections 5.51, 5.61 and 5. 77 in the Radiator 3.17.1 reference  
manual ("doc/ref.html").

regards

Hugh


On 2 Aug 2007, at 23:37, Stuart Kendrick wrote:

> hi gavin,
>
> and that approach sends the usernames/passwords in clear-text over  
> the wire, from the Radiator boxes to port 3268 on the AD boxes
>
> which is not the worst thing in the world to do.  but which gives  
> my security colleagues the heebie-jeebies when i mention it to them
>
> -do you have any ideas on how to encrypt that path way?
>
> -and, conceptually, what are you doing with 'ldap_groups.pl'?  i'm  
> wanting to better understand what kind of fancy decision-making i  
> can implement using hooks, and i'm guessing that you're doing  
> something fancy here
>
> --sk
>
> stuart kendrick
> fhcrc
>
> Gavin Norman wrote:
>> We've managed to have our Radius server authenticate off our Active
>> Directory infrastructure, even with group memberships. You will  
>> find our
>> original posts at
>> http://www.nabble.com/forum/ViewPost.jtp?post=10354268&framed=y
>> We're using the LDAP2 module, Here is the AuthBy context:
>> <AuthBy LDAP2>
>>         Identifier AuthByLDAP
>>         #Debug 255
>>         # LDAP bind
>>         Host dc.mydomain.com.au
>>         HoldServerConnection
>>         Timeout 4
>>      	  Port 3268
>>         AuthDN cn=Service Account,cn=Users,dc=my,dc=domain,dc=com
>> ,dc=au
>>         AuthPassword servicepass
>>         # The client authentication
>>         ServerChecksPassword
>>         UsernameAttr sAMAccountName
>>         BaseDN ou=All Users,dc=my,dc=domain,dc=com,dc=au
>>         AuthAttrDef sAMAccountName,GENERIC,request
>>         AuthAttrDef memberOf,GENERIC,request
>>         PostSearchHook file:"%D/hooks/ldap_groups.pl"  </AuthBy>
>> Hope this helps.
>> Gavin Norman
>> Helpdesk Administrator
>>  Europcar Asia-Pacific
>>   -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner- 
>> radiator at open.com.au] On
>> Behalf Of Hugh Irvine
>> Sent: Thursday, 2 August 2007 8:40 AM
>> To: kem at cse.psu.edu
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) Radiator and Active Directory
>> Hello Kem -
>> You would use something like this:
>> <Handler .....>
>> 	AuthByPolicy ContinueWhileAccept
>> 	<AuthBy LDAP2>
>> 		.....
>> 		SearchFilter .......
>> 		......
>> 	</AuthBy>
>> 	<AuthBy KRB5>
>> 		.....
>> 	</AuthBy>
>> </Handler>
>> See section 5.36.15 in the Radiator 3.17.1 reference manual ("doc/  
>> ref.html").
>> regards
>> Hugh
>> On 2 Aug 2007, at 01:51, Kem Hartley wrote:
>>> Hello,
>>> 	I'm trying to use radiator to authenticate remote access vpn   
>>> users. Logon credentials are only userid and password.  So a  
>>> user  attempts to log on using their userid, userXYZ with  
>>> password,  somepassword.  I would like radiator to check whether  
>>> or not  userXYZ is a staff or faculty member based on ldap  
>>> attribute  "description".  If the check succeeds, it validates  
>>> userid and  password via AuthBy KRB5.  Is there a way to do  
>>> this?  I've got the  kerberos part working, but not the ldap check.
>>>
>>> Thanks in advance.
>>>
>>> --Kem
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>> NB:
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/ 
>> archives/ radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list