Il 10/02/2012 16:21, Phil Mayers ha scritto: >> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained >> at join time? > This question does not make sense. Joining a domain doesn't "obtain a > kerberos ticket". It creates a machine account principal, and a shared > secret (password) that can *in future* be used to obtain kerberos tickets. Yep. Sorry. Tried to "condense" too much :(
> First, you can do that now. Just create a service account in AD for > searching LDAP, and set the bind DN. Can't create "users" in AD. Just machine accounts. Maybe it's possible to use the (or "a dedicated") *machine* account credentials? > Secondly, checking group membership over LDAP in AD is not as simple as > you might think. Nested groups and primary group ID are the two main > problems. I know: about 5-6 years ago I wrote a lot of PHP code that did exactly that. A nightmare. But doable. At least in PHP. > Thirdly, why do you assume that spawning a process is undesirable? Have > you tested it to see which is slower? Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it. > If you say what you're trying to accomplish rather than how, it might be > a bit clearer. Trying to avoid a script (1st exec of "bash") that does a "net ads search" (2nd exec), filters output with "sed" (it's been not too hard to write a script that does "grep", too -- 3rd exec). I need to determine if/what to return in 'access-accept' when an user authenticates to a switch. - students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - "regular" users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN) BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
