From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Mon Feb 02 2004 - 18:29:44 CST
Lukasz Karapuda wrote:
Hi Lukasz!
> I have implemented Netreg 1.3rc2 on RedHat 9.0. I am using a Microsoft
> Active Directory server as my LDAP authentication server for NetReg
> registrations. For convenience I have created an Active Directory Group
> with the following DN:
>
> "CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local";
>
> I have made the Active Directory users that can register using NetReg
> members of the AD group NetReg. I wanted to restrict the registration to
> users exclusively in that AD group. Hence I used the following
> configuration setting:
>
> # Search base: can be used to restrict which users can register
> $LDAP_BASE = "CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local";
>
> However, users that are not part of the AD group NetReg can register as
> well. Hence my group restriction is not functioning correctly.
>
> Since, I am not particularly knowledgeable in the AD administration, I
> would welcome some feedback as to how my $LDAP_BASE should be
> structured, so that only users within a given AD group can register
> using NetReg.
That's not the problem! The comments should read that if you select
ADS as the authentication source, authentication will happen in the
form user@domain. This is in contrast to searching for the dn, then
authenticating using it plus the supplied password. ADS will behave
as a standard LDAP search in this regard, so try the following:
. Turn off $LDAP_USE_ADS by setting it to 0
This will force an LDAP lookup prior to attempting authentication.
. Set $LDAP_AUTH_ATTR to "cn"
Is this the attribute needed? What does the entry specified by
your LDAP base look like? If you can supply LDIF, everything
should be perfectly clear.
Depending on your ADS configuration, you will have to correctly set
$LDAP_BIND_ANON and $LDAP_BIND_CREDENTIALS. Try using anonymous
binding first. If the security in your ADS config prevent anonymous
searching of dn's, you will have to provide the credentials of a user
who can search the entire DIT (or at least the base you specify).
Make sense?
-Robert
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:43 CDT