G'day all I've taken out a configuration from a earlier prototype that I used with Samba/Winbind authentication but didn't use the rlm_ldap for authorization back then. (Having some archives can be quite useful sometimes...) ;-)
Since ntlm_auth properly leads to Access-Rejects for disabled users I can ignore how good or how bad rlm_ldap behaves for disabled users as long as it properly checks for group memberships (that's what I'm interested in for LDAP checks) And even if Arran points out the brokenness of rlm_ldap code in FR 2.x, group-checks based on rlm_ldap are working as expected - and thats what I'm required to get working with this Setup. Regarding... > Since your testing auth request was PAP, mschap will never be > called for this, so you're stuck basically. The result was same when using radtest with "-t mschap" if that's what you're pointing out. I guess for the current time I'm going to stay with an ADS-joined Samba and use LDAP only for the authorization part. Summing up, I feel ending up with less components taming overall complexiness a bit. Thank you guys for your Inputs! -- Mathieu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
