On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I have successfully configured freeradius to authenticate against AD using the winbind socket (not the ntlm_auth command).
That's good.
I find myself needing to also authorize based on AD group membership, more precisely based on negative group membership (We maintain a "deny wireless" group). It seems like I could use the LDAP module and test for the group there, but I noticed that the ntlm_auth command supports some notion of group checking through the '--require-membership-of=STRING' option.
That requires membership in a particular group. It does *not* do negative group checking.
It follows that winbind has access to AD groups and could be used to check. I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind.
The --require-membership-of option is *only* good if you need to require membership of one, and only one group. If you need to check multiple groups, it doesn't work. If you need to do negative group checking, it doesn't work. Alan DeKok.