Il 10/02/2012 16:21, Phil Mayers ha scritto:
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? This question does not make sense. Joining a domain doesn't "obtain a kerberos ticket". It creates a machine account principal, and a shared secret (password) that can *in future* be used to obtain kerberos tickets. Yep. Sorry. Tried to "condense" too much :(
First, you can do that now. Just create a service account in AD for searching LDAP, and set the bind DN. Can't create "users" in AD. Just machine accounts. Maybe it's possible to use the (or "a dedicated") *machine* account credentials?
Secondly, checking group membership over LDAP in AD is not as simple as you might think. Nested groups and primary group ID are the two main problems. I know: about 5-6 years ago I wrote a lot of PHP code that did exactly that. A nightmare. But doable. At least in PHP.
Thirdly, why do you assume that spawning a process is undesirable? Have you tested it to see which is slower? Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it.
If you say what you're trying to accomplish rather than how, it might be a bit clearer. Trying to avoid a script (1st exec of "bash") that does a "net ads search" (2nd exec), filters output with "sed" (it's been not too hard to write a script that does "grep", too -- 3rd exec).
I need to determine if/what to return in 'access-accept' when an user authenticates to a switch. - students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - "regular" users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN) BYtE, Diego.