'Re: Checking Active Directory group membership with winbind'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Checking Active Directory group membership with winbind
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2016-06-18 17:27:59
Message-ID: 4E88E3C7-014E-4A3F-9832-259F46D8DD49 () freeradius ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


> On 17 Jun 2016, at 18:38, Matthew Newton <mcn4@leicester.ac.uk> wrote:
> 
> Hi,
> 
> There is now code in the rlm_winbind module in v3.1.x that permits
> checking AD group membership in a similar way that you can
> currently do with LDAP. So if you don't want to configure LDAP,
> but do have a need to check AD groups, this might be useful.
> 
> I haven't done any benchmark tests, so have no idea whether it is
> any faster than using LDAP or not. For the first group request I
> suspect it may be slower due to the winbind gid remapping. For
> subsequent requests, which winbind still has the user's groups
> cached (a few minutes at least it seems) then group searches are
> very fast.
> 
> Usage is similar to rlm_ldap. Enable the winbind module in
> mods-enabled, then you can:
> 
>  if (Winbind-Group == "my-user-group") {
>    ...
>  }
> 
> for an instance of rlm_winbind e.g.
> 
>  winbind mywb {
>    ...
>  }
> 
> you can use:
> 
>  if (mywb-Winbind-Group == "my-user-group") {
>    ...
>  }
> 
> Running with -Xx gives more debug information including a list of
> all the groups being checked for the user (until a match is
> found).
> 
> In addition, rlm_winbind will now try and find the current windows
> domain directly from winbind, so there should be no need to
> configure it with winbind_domain (this is not the case for the
> same option in rlm_mschap, yet...).
> 
> Testing and feedback welcome.

Looks good!  IIRC this allows checks against nested groups too, right?

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.28
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXZYSfAAoJEP+k1YKfttfKvn4P/2ouVHIp3l8iAKIOwESjd1q/
rYP/kW2ORlq4Joy57DLSobtomctzI7cvkdiW6GIsm6/1xiPibb9/PYzwkyVfMWVm
qRMP5BAky/WoGP0ZXK2T88XXi34mxkDfee4WO4N82xgKM3pAcctKs+TfSGAf7DxY
YB2mEyy8emyQOnY1j1en6alAXdpJk98XdYaEmPy2ShN1i3H5SMzwb1sXa/T+ocuF
dtSKGN1b2QUEqoeNdVfo90v9QZHH7dfPF1Bmr85a3eH8AFa77kKmooTnvXx6YJf3
RWNxn+IP1prD8s7ZARYiOqkgntGAdUEnIt+HZr/GElwqXGiup5vI/8eQHTDScJNo
iDp3OgEdSaeIvs9kPs2r1yrTgpDT0LR0/yCv+S2/SOVyBHzTRLbJW318UfxFIaT3
MwxV+KHPLn0Y2uHh3kTYRgFNRV3rd/78/9PM/CNFdime8aj2tc+G72Mc7tzPUGxD
90tITcNqI4Ow9wl4+U3DQFRiIQuaiywvDpg0h3humPkLoHmfmh4WQ3gRbXe5y7Z3
aXk8AXEyJozi6cJAmuNgQccoiBTjk4EZVGuZd9A+vN28T6hyz1d24rW2Q7CNJVlH
oLhZekRDI7cUWdP73IZucJcYSIb4f7FWsbUnwDHin8Yhf5lhXYH9YG2yNZ6fke7M
EwO8Dd+bHnQRwTT+jKD/
=RAy2
-----END PGP SIGNATURE-----

[Attachment #6 (text/plain)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic