(RADIATOR) LDAP Auth against Microsoft AD - limiting access by AD Group
Hugh Irvine
hugh at open.com.au
Wed May 9 03:29:27 CDT 2007
Hello Chris -
I suggest you add "Debug 255" to the AuthBy LDAP2 clause so you can
see the LDAP debugging.
Please send me the configuration file and the trace 4 debug showing
both the AuthAttrDef attempt and the SearchFilter attempt.
regards
Hugh
On 9 May 2007, at 13:49, Chris Rosan wrote:
> Hugh, this is what the relevant section looks like:
>
> <AuthBy LDAP2>
> Identifier AuthByLDAP
>
> Host ldaphost
> HoldServerConnection
> Timeout 4
> Port 3268
>
> AuthDN cn=Auth Account,cn=Users,dc=my,dc=domain,dc=com,dc=au
> AuthPassword authpass
> BaseDN ou=Users,dc=my,dc=domain,dc=com,dc=au
> ServerChecksPassword
>
> UsernameAttr sAMAccountName
> AuthAttrDef memberOf,"VPN Remote Access",check
> #SearchFilter (&(memberOf=CN=VPN Remote
> Access,OU=Groups,DC=my,DC=domain,DC=com,DC=au))
> </AuthBy>
>
> <Handler NAS-IP-Address=192.168.0.1,Realm=my.domain.com.au>
> RewriteUsername s/\@my\.domain\.com\.au//
> RewriteUsername tr/./ /
> AuthBy AuthByLDAP
> </Handler>
>
> Regardless of the group membership this will authenticate. I've
> attempted this with a search filter also, with the same result.
>
> Chris
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list