From owner-freebsd-pf@FreeBSD.ORG  Sat May  5 10:47:23 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 73BA416A400
	for <freebsd-pf@freebsd.org>; Sat,  5 May 2007 10:47:23 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from skapet.datadok.no (skapet.datadok.no [194.54.107.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 31A0513C43E
	for <freebsd-pf@freebsd.org>; Sat,  5 May 2007 10:47:23 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from thingy.bsdly.net
	([10.168.103.11] helo=thingy.datadok.no.bsdly.net ident=peter)
	by skapet.datadok.no with esmtp (Exim 4.62)
	(envelope-from <peter@bsdly.net>) id 1HkHnO-0002qk-22
	for freebsd-pf@freebsd.org; Sat, 05 May 2007 12:47:22 +0200
To: freebsd-pf@freebsd.org
References: <BAY114-F263B18C2292E74052CE1DAA5410@phx.gbl>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Sat, 05 May 2007 12:47:20 +0200
In-Reply-To: <BAY114-F263B18C2292E74052CE1DAA5410@phx.gbl> (Ricardo Benq's
	message of "Thu, 03 May 2007 21:00:51 +0000")
Message-ID: <877irno8cn.fsf@thingy.datadok.no>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: PF and AD
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 May 2007 10:47:23 -0000

"Ricardo Benq" <rbenq@hotmail.com> writes:

> Is it possible to make filter rules that are based on Microsoft Active
> Directory users?

If you can have the sshd on your pf equipped gateway use
authentication data from your Microsoft system (which is sort of
LDAPish), the next (and possibly smaller) hurdle is to set up authpf
and sensible per user or per user group rules to be loaded by authpf
as appropriate.

> Do I have to install samba/winbind? Are there tutorials?

the gateway would need to interface with the Windows kit one way or
the other, and IIRC kerberos is among the basic requirements.  Our
friend G turns up a lot of references for "sshd Active Directory", so
at least it's been tried before.  It certainly sounds like useful
tutorial material if there isn't one available already.  That is, if
anyone pf-savvy can be persuaded to dive into the AD stuff too.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.