(RADIATOR) LDAP Auth against Microsoft AD - limiting access by AD Group
Robert Blayzor
rblayzor at inoc.net
Mon May 7 11:18:49 CDT 2007
Chris Rosan wrote:
> We’re in the process of setting up a new Radiator server which provides
> authorisation for some realm’s via LDAP to Microsoft Active directory.
> I’m using Radiator 3.17.1-1 on Redhat 4, & Windows 2003 Domain controllers.
We're doing something similar, but not using LDAP. We're using FreeBSD
to auth to Win2k3 AD server. Our config ended up looking something like:
<AuthBy GROUP>
Identifier NTAuth
AuthByPolicy ContinueUntilAccept
RejectEmptyPassword
<AuthBy FILE>
Filename %D/users
NoDefault
</AuthBy>
<AuthBy NTLM>
NtlmAuthProg ntlm_auth --helper-protocol=ntlm-server-1 \
--require-membership-of='FOO\Network Admins'
Domain FOO
UsernameMatchesWithoutRealm
AddToReply cisco-avpair = "shell:priv-lvl=15"
</AuthBy>
<AuthBy NTLM>
NtlmAuthProg ntlm_auth --helper-protocol=ntlm-server-1 \
--require-membership-of='FOO\Operators'
Domain FOO
UsernameMatchesWithoutRealm
AddToReply cisco-avpair = "shell:priv-lvl=1"
</AuthBy>
</AuthBy>
Don't know if this helps...
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720 292A 8580 500E 66F9 0BFC
Logic: The art of being wrong with confidence...
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list