(RADIATOR) LDAP Auth against Microsoft AD - limiting access by AD Group
Hugh Irvine
hugh at open.com.au
Mon May 7 20:40:28 CDT 2007
Hello Chris -
You haven't included the AuthBy LDAP2 clause in your mail, but you
should be using an AuthSelect and/or AuthAttrDef's to do the checking.
I don't understand the DefineGlobalVar that you show below.
regards
Hugh
On 7 May 2007, at 18:21, Chris Rosan wrote:
> Dear List,
>
>
>
> We’re in the process of setting up a new Radiator server which
> provides authorisation for some realm’s via LDAP to Microsoft
> Active directory. I’m using Radiator 3.17.1-1 on Redhat 4, &
> Windows 2003 Domain controllers.
>
>
>
> I need to restrict access to users in specific AD groups. These
> are for both Dial-in & VPN client authentication. So far we are
> just using the “radpwtst” utility to test authentication.
>
>
>
> I can’t get it to allow/deny access based on the group membership.
>
>
>
> Snippets of the config file:
>
>
>
> <Handler NAS-IP-Address=x.x.x.x,Realm=subdomain1.mydomain.com.au>
>
> RewriteUsername s/rho\.subdomain2/subdomain1/
>
> DefineGlobalVar AuthLDAPGroup "AU Remote Access - Dial"
>
> AuthBy AuthByLDAP
>
> </Handler>
>
>
>
> It just seems to ignore checking that the user is a member of the
> LDAP group “AU Remote Acces – Dial”.
>
>
>
> Trace 4 snip shows this being sent back to Radiator from the LDAP
> server:
>
>
>
> LDAP got memberOf: CN=AU Remote Access - Dial
>
>
>
> Can anyone shed some light or assist?
>
>
>
> Chris Rosan
>
> Systems Administrator
>
> Europcar Asia Pacific
>
> 157 Mickleham Rd
>
> Tullamarine
>
> VIC 3043
>
> Australia
>
> Ph: +61 3 9330 6114
>
> Fax: +61 3 9338 6278
>
> Mob: +61 410 612 031
>
> Email: chris.rosan at europcar.com.au
>
>
>
> <image001.jpg>
>
>
>
>
>
>
>
>
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
>
>
> This email was scanned for your safety and protection from
> virus's and offensive content.
> mailmarshal at europcar.com.au
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list