Active Directory group check via winbind + rlm_unix, not LDAP
matsimon.lists at simweb.ch
matsimon.lists at simweb.ch
Mon Sep 1 14:02:52 CEST 2014
Hi
Am 01.09.2014 13:42, schrieb A.L.M.Buxey at lboro.ac.uk:
>> am not sure about this) provides redundancy because the group
>> membership
>> comes from the domain controller, which is found using DNS lookups --
>> if a controller goes down then another (hopefully) takes its place and
>> winbindd will be able to find it with no configuration changes.
>
> no. it rarely falls over nicely to the next server. winbindd is rubbish
> (i know, we use it)
Which I unfortunately have to confirm, it doesn't fail over neither
quickly nor
that nicely, it may take its time to fail over which might take enough
time for
the user to get a authentication error...
Usually a LDAP lookup for the group membership is very quick and can be
balanced.
(even though AD's LDAP isn't one of the fastest LDAP servers)
-- Mathieu
More information about the Freeradius-Users
mailing list