Active Directory group check via winbind + rlm_unix, not LDAP
Eloy Paris
peloy at chapus.net
Mon Sep 1 18:06:39 CEST 2014
Hello,
On Mon, Sep 01, 2014 at 11:42:33AM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
[...]
> > if (User-Name !~ /DOMAIN\\\\/i) {
> > update request {
> > User-Name := "DOMAIN\\\\%{User-Name}"
> > }
> > }
>
> you shouldnt play with User-Name - use a temporary/local RADIUS attribute instead
I'm all for that, but then how can the "Group == 'xxxxx'" check be done
against this temporary/local attribute? The group check is always done
against the User-Name attribute, isn't it?
> > Another possible advantage is redundancy -- I understand the LDAP method
> > does not allow for multiple LDAP servers. Using winbindd (I theorize, I
>
> yes, it does (allow multiple servers)
Good to know; thanks!
Cheers,
Eloy Paris.-
More information about the Freeradius-Users
mailing list