Active Directory group check via winbind + rlm_unix, not LDAP
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Sep 1 13:42:33 CEST 2014
Hi,
> I apparently got this to work and wanted to share the solution in the
> hope that it will be helpful to someone, but also to ask if anyone sees
> any issues with the approach:
interesting solution
> if (User-Name !~ /DOMAIN\\\\/i) {
> update request {
> User-Name := "DOMAIN\\\\%{User-Name}"
> }
> }
you shouldnt play with User-Name - use a temporary/local RADIUS attribute instead
> Another possible advantage is redundancy -- I understand the LDAP method
> does not allow for multiple LDAP servers. Using winbindd (I theorize, I
yes, it does (allow multiple servers)
> am not sure about this) provides redundancy because the group membership
> comes from the domain controller, which is found using DNS lookups --
> if a controller goes down then another (hopefully) takes its place and
> winbindd will be able to find it with no configuration changes.
no. it rarely falls over nicely to the next server. winbindd is rubbish
(i know, we use it)
alan
More information about the Freeradius-Users
mailing list