SASL binds - Rambling...

Matthew Newton mcn4 at
Tue Feb 24 14:02:38 CET 2015

On Tue, Feb 24, 2015 at 12:01:37PM +0000, Phil Mayers wrote:
> I can tell you right now, many windows shops will balk at installing
> anything on their DCs. For that reason I don't think it's a very
> useful approach :o(

Agreed - I can't get traction on putting some load-balancers (for
LDAP resilience) in *front* of the DCs, let alone configuring
anything on them. This is NAT-based load-balancers that don't need
to touch the DCs themselves. There's plenty of need, it's tested
and works fine, but "it's the DCs"...

> For talking to Windows auths, right now and for the forseeable
> future I think we're stuck with the Netlogon RPCs, and Samba as the
> bridge into them.
> I'm more concerned about what happens when the shoe drops about
> MSCHAP security and a replacement appears, and Microsoft contrive to
> make it hard for 3rd parties to check against AD on the grounds of
> security:
> Shudder...

Push towards EAP-TTLS/PAP? More clients are supporting it (Windows
7 the only major exception), and *much* more flexible on the
RADIUS side.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list