Re: [PacketFence-users] Authentication against Active Directory [NOT PROTECTIVELY MARKED]

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Stephen,

The account to join the domain need be Domain Admin, the password will 
not be saved. (used once)

The account to do the authentication via the source LDAP from 
PacketFence need be a read-only account. (used at every connection attempt)

Thanks

On 03/24/2017 08:07 AM, Stephen Ware wrote:
>
> *This email has been classified as:**NOT PROTECTIVELY MARKED*
>
> Hi there,
>
> I’m fairly new to PF and have just set up v6.5.0 on CentOS 7. I have 
> the basics working on a standalone setup and the next step is to 
> integrate PF into a Windows domain with the ultimate aim of doing 
> certificate-based authentication using 802.1X on all wired connections.
>
> My question involves the domain admin level account used for querying 
> AD when using the built-in FreeRADIUS and authenticating against 
> Active Directory.
>
> The PF Administration Guide states the account must be a domain 
> account, “*Username* is the username that will be used for binding to 
> the server. This account must be a domain administrator.”
>
> There are obvious security risks when using domain administrator 
> accounts so I was hoping to use a non-administrator account. I have 
> other situations where applications are doing AD lookups and 
> authentication that work ok with read-only accounts. Why does PF 
> require domain administrator level?
>
> Steve
>
>
> This email and any files transmitted with it are intended solely for 
> the named recipient and may contain sensitive, confidential or 
> protectively marked material up to the central government 
> classification of "RESTRICTED" which must be handled accordingly. If 
> you have received this e-mail in error, please immediately notify the 
> sender by e-mail and delete from your system, unless you are the named 
> recipient (or authorised to receive it for the recipient) you are not 
> permitted to copy, use, store, publish, disseminate or disclose it to 
> anyone else. E-mail transmission cannot be guaranteed to be secure or 
> error-free as it could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses and therefore the 
> Council accept no liability for any such errors or omissions. Unless 
> explicitly stated otherwise views or opinions expressed in this email 
> are solely those of the author and do not necessarily represent those 
> of the Council and are not intended to be legally binding. All Council 
> network traffic and GCSX traffic may be subject to recording and/or 
> monitoring in accordance with relevant legislation. South Tyneside 
> Council, Town Hall & Civic Offices, Westoe Road, South Shields, Tyne & 
> Wear, NE33 2RL, Tel: 0191 427 1717, Website: www.southtyneside.gov.uk
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> Pac...@li...
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aam...@in...  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)