On 02/10/2012 09:09 PM, NdK wrote:
Can't create "users" in AD. Just machine accounts. Maybe it's possible
to use the (or "a dedicated") *machine* account credentials?
rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to
the directory and execute the searches you need will suffice.
If you say what you're trying to accomplish rather than how, it might be
a bit clearer.
Trying to avoid a script (1st exec of "bash") that does a "net ads
search" (2nd exec), filters output with "sed" (it's been not too hard to
write a script that does "grep", too -- 3rd exec).
I need to determine if/what to return in 'access-accept' when an user
authenticates to a switch.
You've really got several choices:
1. Use an "exec" module, ideally in post-auth so it's only run once.
Whether it's written in shell, perl, C or something else is your choice.
2. Bulk-query the data from LDAP, cache it into a local SQL / text
file, query that with rlm_sql / rlm_passwd. For optional extra points,
use the incremental LDAP search facility to "tail" changes to LDAP.
3. Query in real-time using rlm_ldap. As said, you can't use kerberos
for this, you'll need a bind DN.
4. Something else.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
