Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
21222324252627282930
Chapter 5
Copyright © 2008-2013 Inverse inc.
Configuration 17
Now, we want to authenticate employees using Active Directory (over LDAP), and guests using
PacketFence’s internal database - both using PacketFence’s captive portal. From the Configuration
Users � Sources, we select Add source � AD. We provide the following information:
Name: ad1
Description: Active Directory for Employees
Host: 192.168.1.2:389 without SSL/TLS
Base DN: CN=Users,DC=acme,DC=local
Scope: One-level
Username Attribute: sAMAccountName
Bind DN: CN=Administrator,CN=Users,DC=acme,DC=local
Password: acme123
Then, we add a rule by clicking on the Add rule button and provide the following information:
Name: employees
Description: Rule for all employees
Don’t set any condition (as it’s a catch-all rule)
Set the following actions:
Set role employee
Set unregistration date January 1st, 2020
Test the connection and save everything. Using the newly defined source, any username that actually
matches in the source (using the sAMAccountName) will have the employee role and an unregistration
date set to January 1st, 2020.
Now, since we want to authenticate guests from PacketFence’s internal SQL database, accounts must be
provisionned manually. You can do so from the Configuration � Users � Create section. When creating
guests, specify "guest" for the Set role action, and set an access duration for 1 day.
If you would like to differentiate user authentication and machine authentication using Active Directory,
one way to do it is by creating a second authentication sources, for machines:
Name: ad1
Description: Active Directory for Machines
Host: 192.168.1.2:389 without SSL/TLS
Base DN: CN=Computers,DC=acme,DC=local
Scope: One-level
Username Attribute: servicePrincipalName
Bind DN: CN=Administrator,CN=Users,DC=acme,DC=local
Password: acme123
Then, we add a rule:
Name: machines
Description: Rule for all machines
Don’t set any condition (as it’s a catch-all rule)
Set the following actions:
Set role machineauth
Set unregistration date January 1st, 2020
Note that when a rule is defined as a catch-all, it will always match if the username attribute matches
the queried one. This applies for Active Directory, LDAP and Apache htpasswd file sources. Kerberos and
RADIUS will act as true catch-all, and accept everything.