Active Directory group check via winbind + rlm_unix, not LDAP

Alan DeKok aland at
Mon Sep 1 18:30:33 CEST 2014

Eloy Paris wrote:
> I'm all for that, but then how can the "Group == 'xxxxx'" check be done
> against this temporary/local attribute? The group check is always done
> against the User-Name attribute, isn't it?

  Use Stripped-User-Name.  That's what it's for.  Everything in the
server that needs a stripped user name uses that.  Changing
Stripped-User-Name won't affect EAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list