AD group membership
Munroe Sollog
mus3 at lehigh.edu
Mon Jan 13 23:02:23 CET 2020
I have successfully configured freeradius to authenticate against AD using
the winbind socket (not the ntlm_auth command). I find myself needing to
also authorize based on AD group membership, more precisely based on
negative group membership (We maintain a "deny wireless" group). It seems
like I could use the LDAP module and test for the group there, but I
noticed that the ntlm_auth command supports some notion of group checking
through the '--require-membership-of=STRING' option. It follows that
winbind has access to AD groups and could be used to check. I haven't been
able to find any guidance on the freeradius.org documentation site, so I
was wondering if there is a preferred method for AD-based group checking
when using winbind.
--
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
More information about the Freeradius-Users
mailing list