On Tue, Feb 24, 2015 at 12:01:37PM +0000, Phil Mayers wrote:
I can tell you right now, many windows shops will balk at installing anything on their DCs. For that reason I don't think it's a very useful approach :o(
Agreed - I can't get traction on putting some load-balancers (for LDAP resilience) in *front* of the DCs, let alone configuring anything on them. This is NAT-based load-balancers that don't need to touch the DCs themselves. There's plenty of need, it's tested and works fine, but "it's the DCs"...
For talking to Windows auths, right now and for the forseeable future I think we're stuck with the Netlogon RPCs, and Samba as the bridge into them.
I'm more concerned about what happens when the shoe drops about MSCHAP security and a replacement appears, and Microsoft contrive to make it hard for 3rd parties to check against AD on the grounds of security: ... Shudder...
Push towards EAP-TTLS/PAP? More clients are supporting it (Windows 7 the only major exception), and *much* more flexible on the RADIUS side. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>