Multi-domain AD and Users Who Aren't So Bright

NdK ndk.clanbo at gmail.com
Fri Feb 3 08:22:38 CET 2012


Il 02/02/2012 21:59, Matthew Newton ha scritto:

>> /usr/bin/net ads search -P "(mail=%{User-Name})" sAMAccountName|grep
>> sAMAccountName|sed "s/^[^ ]* //"
>> (maybe it's possible to do the same without using grep and sed, but it's
>> been just a quick test -- suggestions welcome).
> 
> Have you tried ldapsearch? Might be more flexible.
Can't use it: for security (privacy) our DCs don't allow anonymous
binding. And I can't add users, just machines and OUs.

> I'm rather guessing here, but I wonder if LDAP searching the AD
> global catalogue (ports 3268/3269) would make this work with one
> search?
Often you can't do an ldap search on AD...

> But that's not really a FreeRADIUS issue. You'd probably be better
> finding a samba or AD list.
What I was saying was:
1) it should be doable to let users do MSCHAPv2 auth using mail account
(which could be unrelated to sAMAccountName) instead of "strange" (from
users' POV) usernames with domains
2) I was asking for some "trick" that lets me do the same thing without
requiring processes for grep and sed (if possible... and that's FR specific)

BYtE,
 Diego.



More information about the Freeradius-Users mailing list