Checking Active Directory group membership with winbind

Sat Jun 18 19:27:59 CEST 2016

> On 17 Jun 2016, at 18:38, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> 
> Hi,
> 
> There is now code in the rlm_winbind module in v3.1.x that permits
> checking AD group membership in a similar way that you can
> currently do with LDAP. So if you don't want to configure LDAP,
> but do have a need to check AD groups, this might be useful.
> 
> I haven't done any benchmark tests, so have no idea whether it is
> any faster than using LDAP or not. For the first group request I
> suspect it may be slower due to the winbind gid remapping. For
> subsequent requests, which winbind still has the user's groups
> cached (a few minutes at least it seems) then group searches are
> very fast.
> 
> Usage is similar to rlm_ldap. Enable the winbind module in
> mods-enabled, then you can:
> 
>  if (Winbind-Group == "my-user-group") {
>    ...
>  }
> 
> for an instance of rlm_winbind e.g.
> 
>  winbind mywb {
>    ...
>  }
> 
> you can use:
> 
>  if (mywb-Winbind-Group == "my-user-group") {
>    ...
>  }
> 
> Running with -Xx gives more debug information including a list of
> all the groups being checked for the user (until a match is
> found).
> 
> In addition, rlm_winbind will now try and find the current windows
> domain directly from winbind, so there should be no need to
> configure it with winbind_domain (this is not the case for the
> same option in rlm_mschap, yet...).
> 
> Testing and feedback welcome.

Looks good!  IIRC this allows checks against nested groups too, right?

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160618/ce3c6f63/attachment.sig>