[RADIATOR] Auth ADSI Problem

Nazzareno Guerra nazzareno.guerra at gmail.com
Sat Oct 11 07:53:31 CDT 2008 

2008/10/11 Nazzareno Guerra <nazzareno.guerra at gmail.com>
>
> Hi all,
> I've some problems with Auth ADSI.
> I'd like to authenticate ONLY users present in some windows groups.
> Here there is a portion of .cfg's file:
>
> <Handler Realm=testing.local>
>                <AuthBy ADSI>
>                        SearchAttribute userPrincipalName
>                        BindString LDAP://testing.local/CN=PROVAGR,CN=Users,DC=testing,DC=local
>                        AuthUser %0
>                        AuthFlags 1
>                </AuthBy>
>
> The windows gruop is PROVAGR that I've created in the Users container.
> The user is tricheco, that actually it's member of PROVAGR.
>
> The log message is:
> Sat Oct 11 11:28:28 2008: DEBUG: Handling request with Handler
> 'Realm=testing.local'
> Sat Oct 11 11:28:28 2008: DEBUG:  Deleting session for
> tricheco at testing.local, 203.63.154.1, 1234
> Sat Oct 11 11:28:28 2008: DEBUG: Handling with ADSI
> Sat Oct 11 11:28:28 2008: DEBUG: BindString converted to
> LDAP://testing.local/CN=PROVAGR,CN=Users,DC=testing,DC=local
> Sat Oct 11 11:28:28 2008: DEBUG: AuthUser converted to tricheco at testing.local
> Sat Oct 11 11:28:28 2008: DEBUG: Starting ADODB search for
> userPrincipalName = tricheco at testing.local
> Sat Oct 11 11:28:28 2008: DEBUG: AuthBy ADSI result: REJECT, User not
> found in AD
> Sat Oct 11 11:28:28 2008: INFO: Access rejected for
> tricheco at testing.local: User not found in AD
> Sat Oct 11 11:28:28 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1302 ....
> Code:       Access-Reject
>
> Can anyone help me?
> Thank you,
> Best regards
>
> --
> Guerra Nazzareno
> +393286872159
> Key fingerprint = 96AB 5C5C ED50 4FA4 33CD  D5A8 E377 C5F7 B8D0 3EE8

I solved the problem! :)
I insert this:
GroupRequired CN=TESTGR:

<AuthBy ADSI>
			SearchAttribute userPrincipalName
			GroupRequired CN=TESTGR
			BindString LDAP://testing.local/CN=Users,DC=testing,DC=local
			AuthUser %0
			AuthFlags 1
</AuthBy>

In this way if the user that isn't membership of this windows group, the log is:
Sat Oct 11 14:31:38 2008: DEBUG: AuthBy ADSI result: REJECT, Not
member of group CN=TESTGR
Sat Oct 11 14:31:38 2008: INFO: Access rejected for
prova at testing.local: Not member of group CN=TESTGR

Bye all
--
Guerra Nazzareno
+393286872159
Key fingerprint = 96AB 5C5C ED50 4FA4 33CD  D5A8 E377 C5F7 B8D0 3EE8

More information about the radiator mailing list