Active Directory group check via winbind + rlm_unix, not LDAP

A.L.M.Buxey at A.L.M.Buxey at
Mon Sep 1 13:42:33 CEST 2014


> I apparently got this to work and wanted to share the solution in the
> hope that it will be helpful to someone, but also to ask if anyone sees
> any issues with the approach:

interesting solution

>                 if (User-Name !~ /DOMAIN\\\\/i) {
>                         update request {
>                                 User-Name := "DOMAIN\\\\%{User-Name}"
>                         }
>                 }

you shouldnt play with User-Name - use a temporary/local RADIUS attribute instead

> Another possible advantage is redundancy -- I understand the LDAP method
> does not allow for multiple LDAP servers. Using winbindd (I theorize, I

yes, it does (allow multiple servers)

> am not sure about this) provides redundancy because the group membership
> comes from the domain controller, which is found using DNS lookups --
> if a controller goes down then another (hopefully) takes its place and
> winbindd will be able to find it with no configuration changes.

no. it rarely falls over nicely to the next server. winbindd is rubbish
(i know, we use it)


More information about the Freeradius-Users mailing list