7 Feb
2017
7 Feb
'17
9:02 a.m.
On 07/02/2017 11:19, Matthew Newton wrote:
On Tue, Feb 07, 2017 at 08:50:02AM +0100, Dávid Erős wrote:
Thank you for the link ,but I'd like to avoid using Ldap. Is there another way to get this done by winbind and rlm_unix? rlm_ldap is still the best way at present.
There is new experimental code in the unsupported v3.1.x branch which can check groups directly with winbind. If you want to give it a spin, look at rlm_winbind. Make sure you only check groups in post-auth after a successful authentication. Aside: if you're doing any sort of policy checking in post-auth, what's the official / supported way to change an Access-Accept into an Access-Reject ?
Is it simply to invoke 'reject' from the 'always' module? Thanks, Brian.