G'day all
 
I've taken out a configuration from a earlier prototype that I used with
Samba/Winbind authentication but didn't use the rlm_ldap for authorization
back then.  (Having some archives can be quite useful sometimes...) ;-)
 
Since ntlm_auth properly leads to Access-Rejects for disabled users I can ignore
how good or how bad rlm_ldap behaves for disabled users as long as it properly
checks for group memberships (that's what I'm interested in for LDAP checks)
 
And even if Arran points out the brokenness of rlm_ldap code in FR 2.x, group-checks based
on rlm_ldap are working as expected - and thats what I'm required to get working with this Setup.
 
Regarding...
> Since your testing auth request was PAP, mschap will never be
> called for this, so you're stuck basically.
The result was same when using radtest with "-t mschap" if that's what you're pointing out.
 
I guess for the current time I'm going to stay with an ADS-joined Samba and use LDAP
only for the authorization part. Summing up, I feel ending up with less components taming
overall complexiness a bit.
 
Thank you guys for your Inputs!
 
-- Mathieu