LDAP Binding

[Phil Mayers]

On 02/10/2012 09:09 PM, NdK wrote:

> Can't create "users" in AD. Just machine accounts. Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials?

rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to 
the directory and execute the searches you need will suffice.

>> If you say what you're trying to accomplish rather than how, it might be
>> a bit clearer.
> Trying to avoid a script (1st exec of "bash") that does a "net ads
> search" (2nd exec), filters output with "sed" (it's been not too hard to
> write a script that does "grep", too -- 3rd exec).
>
> I need to determine if/what to return in 'access-accept' when an user
> authenticates to a switch.

You've really got several choices:

  1. Use an "exec" module, ideally in post-auth so it's only run once. 
Whether it's written in shell, perl, C or something else is your choice.

  2. Bulk-query the data from LDAP, cache it into a local SQL / text 
file, query that with rlm_sql / rlm_passwd. For optional extra points, 
use the incremental LDAP search facility to "tail" changes to LDAP.

  3. Query in real-time using rlm_ldap. As said, you can't use kerberos 
for this, you'll need a bind DN.

  4. Something else.