LDAP Binding

[NdK]

Il 10/02/2012 16:21, Phil Mayers ha scritto:

>> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
>> at join time?
> This question does not make sense. Joining a domain doesn't "obtain a
> kerberos ticket". It creates a machine account principal, and a shared
> secret (password) that can *in future* be used to obtain kerberos tickets.
Yep. Sorry. Tried to "condense" too much :(

> First, you can do that now. Just create a service account in AD for
> searching LDAP, and set the bind DN.
Can't create "users" in AD. Just machine accounts. Maybe it's possible
to use the (or "a dedicated") *machine* account credentials?

> Secondly, checking group membership over LDAP in AD is not as simple as
> you might think. Nested groups and primary group ID are the two main
> problems.
I know: about 5-6 years ago I wrote a lot of PHP code that did exactly
that. A nightmare. But doable. At least in PHP.

> Thirdly, why do you assume that spawning a process is undesirable? Have
> you tested it to see which is slower?
Reading FR docs it seems it's something to avoid whenever possible.
Since there's an internal ldap module, I thought it could be possible to
use it.

> If you say what you're trying to accomplish rather than how, it might be
> a bit clearer.
Trying to avoid a script (1st exec of "bash") that does a "net ads
search" (2nd exec), filters output with "sed" (it's been not too hard to
write a script that does "grep", too -- 3rd exec).

I need to determine if/what to return in 'access-accept' when an user
authenticates to a switch.
- students (determined by *domain* membership) receive a VLAN membership
- administrators (determined by *domain* and *group* membership) receive
*no* VLAN memberships (so they can access all the VLANS configured for
that switch port, as said on the wiki for HPs)
- "regular" users receive VLAN membership for a different VLAN than
students (preventing 'em to tamper with administration VLAN)

BYtE,
 Diego.