Hello Stephen,
The account to join the domain need be Domain Admin, the password will
not be saved. (used once)
The account to do the authentication via the source LDAP from
PacketFence need be a read-only account. (used at every connection attempt)
Thanks
On 03/24/2017 08:07 AM, Stephen Ware wrote:
*This email has been classified as:**NOT PROTECTIVELY MARKED*
Hi there,
Iām fairly new to PF and have just set up v6.5.0 on CentOS 7. I have
the basics working on a standalone setup and the next step is to
integrate PF into a Windows domain with the ultimate aim of doing
certificate-based authentication using 802.1X on all wired connections.
My question involves the domain admin level account used for querying
AD when using the built-in FreeRADIUS and authenticating against
Active Directory.
The PF Administration Guide states the account must be a domain
account, ā*Username* is the username that will be used for binding to
the server. This account must be a domain administrator.ā
There are obvious security risks when using domain administrator
accounts so I was hoping to use a non-administrator account. I have
other situations where applications are doing AD lookups and
authentication that work ok with read-only accounts. Why does PF
require domain administrator level?
Steve
This email and any files transmitted with it are intended solely for
the named recipient and may contain sensitive, confidential or
protectively marked material up to the central government
classification of "RESTRICTED" which must be handled accordingly. If
you have received this e-mail in error, please immediately notify the
sender by e-mail and delete from your system, unless you are the named
recipient (or authorised to receive it for the recipient) you are not
permitted to copy, use, store, publish, disseminate or disclose it to
anyone else. E-mail transmission cannot be guaranteed to be secure or
error-free as it could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses and therefore the
Council accept no liability for any such errors or omissions. Unless
explicitly stated otherwise views or opinions expressed in this email
are solely those of the author and do not necessarily represent those
of the Council and are not intended to be legally binding. All Council
network traffic and GCSX traffic may be subject to recording and/or
monitoring in accordance with relevant legislation. South Tyneside
Council, Town Hall & Civic Offices, Westoe Road, South Shields, Tyne &
Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.gov.uk
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
