Multi-domain AD and Users Who Aren't So Bright
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 2 11:14:52 CET 2012
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote:
> Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct "DOM\user"
format.
Couple of things you could do; use SQL to store the mappings rather than
hard-code; replace your script with a SQL lookup (use a bulk LDAP dump
to populate unqualified user -> domain mapping, nightly).
I guess in an ideal world, Samba would handle any username format that
windows itself would handle, and none of this would be necessary e.g.
ntlm_auth might output:
SamAccountName: user
NT-Domain: DOM
NT_KEY: foobar
...and FR could populate those.
But TBH I think (not sure here) you've crafted a solution that processes
usernames windows itself could not; basically you've coded site-specific
knowledge into your configs. This is, necessarily, site specific!
tl;dr - from what I can see, that's about as good as you're going to get.
More information about the Freeradius-Users
mailing list