On Sep 6, 2017, at 8:48 AM, $witch <a.spinella@fidus.it> wrote:
have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.
That's good...
shortly, having proof that it is working for many but not all workers have observed that in working case
........... (2) } # Auth-Type ntlm_auth = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (2) post-auth { (2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh
Why not just use the features that come with the server? It supports querying AD for group membership via LDAP-Group: if (LDAP-Group == "admin") { ... do stuff ... } The LDAP group checks are even cached, so it doesn't hit AD every time you do the group comparison.
so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.
I wouldn't recommend that. Instead, please explain what that script does, and why you need it to return almost 100 group. I'm willing to bet that you can re-implement that functionality in FreeRADIUS. Alan DeKok.