LDAP Binding
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 10 16:21:15 CET 2012
On 10/02/12 14:38, NdK wrote:
> Hello all.
>
> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
> at join time?
This question does not make sense. Joining a domain doesn't "obtain a
kerberos ticket". It creates a machine account principal, and a shared
secret (password) that can *in future* be used to obtain kerberos tickets.
> That would allow to search for group membership without spawning more
> processes...
Three points:
First, you can do that now. Just create a service account in AD for
searching LDAP, and set the bind DN.
Secondly, checking group membership over LDAP in AD is not as simple as
you might think. Nested groups and primary group ID are the two main
problems.
Thirdly, why do you assume that spawning a process is undesirable? Have
you tested it to see which is slower?
If you say what you're trying to accomplish rather than how, it might be
a bit clearer.
More information about the Freeradius-Users
mailing list