SASL binds - Rambling...
Matthew Newton
mcn4 at leicester.ac.uk
Tue Feb 24 14:02:38 CET 2015
On Tue, Feb 24, 2015 at 12:01:37PM +0000, Phil Mayers wrote:
> I can tell you right now, many windows shops will balk at installing
> anything on their DCs. For that reason I don't think it's a very
> useful approach :o(
Agreed - I can't get traction on putting some load-balancers (for
LDAP resilience) in *front* of the DCs, let alone configuring
anything on them. This is NAT-based load-balancers that don't need
to touch the DCs themselves. There's plenty of need, it's tested
and works fine, but "it's the DCs"...
> For talking to Windows auths, right now and for the forseeable
> future I think we're stuck with the Netlogon RPCs, and Samba as the
> bridge into them.
>
> I'm more concerned about what happens when the shoe drops about
> MSCHAP security and a replacement appears, and Microsoft contrive to
> make it hard for 3rd parties to check against AD on the grounds of
> security:
...
> Shudder...
Push towards EAP-TTLS/PAP? More clients are supporting it (Windows
7 the only major exception), and *much* more flexible on the
RADIUS side.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Devel
mailing list