Active Directory group check via winbind + rlm_unix, not LDAP

matsimon.lists at simweb.ch matsimon.lists at simweb.ch
Mon Sep 1 14:02:52 CEST 2014


Hi

Am 01.09.2014 13:42, schrieb A.L.M.Buxey at lboro.ac.uk:

>> am not sure about this) provides redundancy because the group 
>> membership
>> comes from the domain controller, which is found using DNS lookups --
>> if a controller goes down then another (hopefully) takes its place and
>> winbindd will be able to find it with no configuration changes.
> 
> no. it rarely falls over nicely to the next server. winbindd is rubbish
> (i know, we use it)

Which I unfortunately have to confirm, it doesn't fail over neither 
quickly nor
that nicely, it may take its time to fail over which might take enough 
time for
the user to get a authentication error...

Usually a LDAP lookup for the group membership is very quick and can be 
balanced.
(even though AD's LDAP isn't one of the fastest LDAP servers)

-- Mathieu


More information about the Freeradius-Users mailing list