Multi-domain AD and Users Who Aren't So Bright
Matthew Newton
mcn4 at leicester.ac.uk
Fri Feb 3 12:51:51 CET 2012
Hi,
On Fri, Feb 03, 2012 at 08:22:38AM +0100, NdK wrote:
> Il 02/02/2012 21:59, Matthew Newton ha scritto:
>
> >> /usr/bin/net ads search -P "(mail=%{User-Name})" sAMAccountName|grep
> >> sAMAccountName|sed "s/^[^ ]* //"
> >> (maybe it's possible to do the same without using grep and sed, but it's
> >> been just a quick test -- suggestions welcome).
> >
> > Have you tried ldapsearch? Might be more flexible.
> Can't use it: for security (privacy) our DCs don't allow anonymous
> binding. And I can't add users, just machines and OUs.
ldapsearch allows you to bind as a specific user for searches
(I do that), but if you can't add users to your DCs (?!) then
I guess that option's out.
> > But that's not really a FreeRADIUS issue. You'd probably be better
> > finding a samba or AD list.
> What I was saying was:
> 1) it should be doable to let users do MSCHAPv2 auth using mail account
> (which could be unrelated to sAMAccountName) instead of "strange" (from
> users' POV) usernames with domains
> 2) I was asking for some "trick" that lets me do the same thing without
> requiring processes for grep and sed (if possible... and that's FR specific)
Apologies - I meant that finding the answer to your 'trick' is not
a FreeRADIUS thing. It's a directory lookup, or identity
management type issue.
Then, yes, of course it translates into 'how do I do this search
_within_ FreeRADIUS'.
Hence you might initially get better answers from AD people on the
lookup, rather than FreeRADIUS prople.
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list