LDAP Binding

Alan DeKok aland at deployingradius.com
Fri Feb 10 22:37:36 CET 2012


NdK wrote:
> Can't create "users" in AD. Just machine accounts.

  That's a local policy which can be changed.

  AD is perfectly capable of creating read-only administrator accounts.
 It's what everyone else does.

> Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials?

  No.

> Reading FR docs it seems it's something to avoid whenever possible.
> Since there's an internal ldap module, I thought it could be possible to
> use it.

  Yes.

> I need to determine if/what to return in 'access-accept' when an user
> authenticates to a switch.

  See the switch documentation for what to return in an Access-Accept.
Every switch vendor has their own idea of what is "normal".

> - students (determined by *domain* membership) receive a VLAN membership
> - administrators (determined by *domain* and *group* membership) receive
> *no* VLAN memberships (so they can access all the VLANS configured for
> that switch port, as said on the wiki for HPs)
> - "regular" users receive VLAN membership for a different VLAN than
> students (preventing 'em to tamper with administration VLAN)

  That should all be straightforward.  Write a shell script which
implements those rules.  Test it.  Port the same rules to the internal
FreeRADIUS LDAP module && unlang.

  Alan DeKok.



More information about the Freeradius-Users mailing list