Hi,
On Fri, Feb 03, 2012 at 08:22:38AM +0100, NdK wrote:
> Il 02/02/2012 21:59, Matthew Newton ha scritto:
>
> >> /usr/bin/net ads search -P "(mail=%{User-Name})" sAMAccountName|grep
> >> sAMAccountName|sed "s/^[^ ]* //"
> >> (maybe it's possible to do the same without using grep and sed, but it's
> >> been just a quick test -- suggestions welcome).
> >
> > Have you tried ldapsearch? Might be more flexible.
> Can't use it: for security (privacy) our DCs don't allow anonymous
> binding. And I can't add users, just machines and OUs.
ldapsearch allows you to bind as a specific user for searches
(I do that), but if you can't add users to your DCs (?!) then
I guess that option's out.
> > But that's not really a FreeRADIUS issue. You'd probably be better
> > finding a samba or AD list.
> What I was saying was:
> 1) it should be doable to let users do MSCHAPv2 auth using mail account
> (which could be unrelated to sAMAccountName) instead of "strange" (from
> users' POV) usernames with domains
> 2) I was asking for some "trick" that lets me do the same thing without
> requiring processes for grep and sed (if possible... and that's FR specific)
Apologies - I meant that finding the answer to your 'trick' is not
a FreeRADIUS thing. It's a directory lookup, or identity
management type issue.
Then, yes, of course it translates into 'how do I do this search
_within_ FreeRADIUS'.
Hence you might initially get better answers from AD people on the
lookup, rather than FreeRADIUS prople.
Cheers,
Matthew
--
Matthew Newton, Ph.D. <[email protected]>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <[email protected]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
