Ldap binding with different attribute

2012-02-28 Thread LEONARDO FELL
Hi everbody, I have a freeradius+openldap working well, but I'd like to make some changes. Below are the ldap module configuration: server = "ldap.mycompany.br" identity = "cn=Admin,dc=univates,dc=br" password = xx basedn = "dc=my

Re: LDAP Binding

2012-02-11 Thread Phil Mayers
On 02/10/2012 09:09 PM, NdK wrote: Can't create "users" in AD. Just machine accounts. Maybe it's possible to use the (or "a dedicated") *machine* account credentials? rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to the directory and execute the searches you need will su

RE: LDAP Binding

2012-02-10 Thread Sallee, Stephen (Jake)
@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Friday, February 10, 2012 3:37 PM To: FreeRadius users mailing list Subject: Re: LDAP Binding NdK wrote: > Can't create "users" in AD. Just machine accounts. That's a local policy which c

Re: LDAP Binding

2012-02-10 Thread Alan DeKok
NdK wrote: > Can't create "users" in AD. Just machine accounts. That's a local policy which can be changed. AD is perfectly capable of creating read-only administrator accounts. It's what everyone else does. > Maybe it's possible > to use the (or "a dedicated") *machine* account credentials

Re: LDAP Binding

2012-02-10 Thread NdK
Il 10/02/2012 16:21, Phil Mayers ha scritto: >> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained >> at join time? > This question does not make sense. Joining a domain doesn't "obtain a > kerberos ticket". It creates a machine account principal, and a shared > secret (passwor

Re: LDAP Binding

2012-02-10 Thread Phil Mayers
On 10/02/12 14:38, NdK wrote: Hello all. Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? This question does not make sense. Joining a domain doesn't "obtain a kerberos ticket". It creates a machine account principal, and a shared secret (password) that ca

Re: LDAP Binding

2012-02-10 Thread Alan DeKok
NdK wrote: > Is it possible to bind to AD's LDAP using the Kerberos ticket obtained > at join time? No. The LDAP API doesn't support that. > That would allow to search for group membership without spawning more > processes... Huh? You can configure AD as an LDAP server, and do group member

LDAP Binding

2012-02-10 Thread NdK
Hello all. Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? That would allow to search for group membership without spawning more processes... Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html