(RADIATOR) LDAP Auth against Microsoft AD - limiting access by AD Group

Wed May 9 03:29:27 CDT 2007

Hello Chris -

I suggest you add "Debug 255" to the AuthBy LDAP2 clause so you can  
see the LDAP debugging.

Please send me the configuration file and the trace 4 debug showing  
both the AuthAttrDef attempt and the SearchFilter attempt.

regards

Hugh

On 9 May 2007, at 13:49, Chris Rosan wrote:

> Hugh, this is what the relevant section looks like:
>
> <AuthBy LDAP2>
>     Identifier AuthByLDAP
>
>     Host ldaphost
>     HoldServerConnection
>     Timeout 4
>     Port 3268
>
>     AuthDN cn=Auth Account,cn=Users,dc=my,dc=domain,dc=com,dc=au
>     AuthPassword    authpass
>     BaseDN          ou=Users,dc=my,dc=domain,dc=com,dc=au
>     ServerChecksPassword
>
>     UsernameAttr sAMAccountName
>     AuthAttrDef memberOf,"VPN Remote Access",check
>    #SearchFilter (&(memberOf=CN=VPN Remote
> Access,OU=Groups,DC=my,DC=domain,DC=com,DC=au))
> </AuthBy>
>
> <Handler NAS-IP-Address=192.168.0.1,Realm=my.domain.com.au>
>     RewriteUsername s/\@my\.domain\.com\.au//
>     RewriteUsername tr/./ /
>     AuthBy AuthByLDAP
> </Handler>
>
> Regardless of the group membership this will authenticate. I've
> attempted this with a search filter also, with the same result.
>
> Chris
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.