LDAP Binding
Alan DeKok
aland at deployingradius.com
Fri Feb 10 22:37:36 CET 2012
NdK wrote:
> Can't create "users" in AD. Just machine accounts.
That's a local policy which can be changed.
AD is perfectly capable of creating read-only administrator accounts.
It's what everyone else does.
> Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials?
No.
> Reading FR docs it seems it's something to avoid whenever possible.
> Since there's an internal ldap module, I thought it could be possible to
> use it.
Yes.
> I need to determine if/what to return in 'access-accept' when an user
> authenticates to a switch.
See the switch documentation for what to return in an Access-Accept.
Every switch vendor has their own idea of what is "normal".
> - students (determined by *domain* membership) receive a VLAN membership
> - administrators (determined by *domain* and *group* membership) receive
> *no* VLAN memberships (so they can access all the VLANS configured for
> that switch port, as said on the wiki for HPs)
> - "regular" users receive VLAN membership for a different VLAN than
> students (preventing 'em to tamper with administration VLAN)
That should all be straightforward. Write a shell script which
implements those rules. Test it. Port the same rules to the internal
FreeRADIUS LDAP module && unlang.
Alan DeKok.
More information about the Freeradius-Users
mailing list