Granting varied levels of NAS permission based on LDAP group membership
Marco Gaiarin
gaio at lilliput.linux.it
Sun Apr 24 15:30:24 UTC 2022
Mandi! Nick Porter
In chel di` si favelave...
> There is a caveat (down to Active Directory behaviour), the user's
> primary group is not returned with either technique, and equally, nested
> groups which the user's primary group is a member of will not be
> returned. That's just how Active Directory chooses to present group
> membership in LDAP queries.
...but consider that in AD the default policy is to add users to 'Domain
Users' group:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainusers
so if you keep 'Domain Users' as default group and user only other group for
membership ''filter'' (in loose sense), you are OK...
--
Errare è umano, ma per fare veramente casino
ci vuole la password di root (Zio Budda)
More information about the Freeradius-Users
mailing list