realms and Windows domain

Craig White craigwhite at azapple.com
Sun Dec 7 00:27:31 CET 2008 

Not sure that it's the right place but I was able to hack 'hints' file
to handle this

Craig

On Sat, 2008-12-06 at 12:07 -0700, Craig White wrote:
> freeradius-1.1.3-1.2.el5
> 
> LDAP authentication (OpenLDAP)
> 
> I am mostly working now but I do get failures if a user has the Windows
> Domain set to any value at all which of course means that the
> authentication is passed as DOMAIN\user and I want it to strip out the
> DOMAIN\ part and just keep the user so Windows laptops would just
> automatically authenticate current logged in user.
> 
> Not sure this is necessary but this is the debug of what is happening...
> 
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for MyOrg\craigwhite
> radius_xlat:  '(uid=MyOrg\5c\5ccraigwhite)'
> radius_xlat:  'ou=People,ou=Accounts,o=MyOrg,c=US'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
> rlm_ldap: bind as cn=admin,o=MyOrg,c=US/pass to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with
> filter (uid=MyOrg\5c\5ccraigwhite)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns notfound for request 0
> modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type MS-CHAP
> auth: type "MS-CHAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 0
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
>   rlm_mschap: Told to do MS-CHAPv2 for MyOrg\craigwhite with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 0
> modcall: leaving group MS-CHAP (returns reject) for request 0
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found): [MyOrg\\craigwhite/<no
> User-Password attribute>] (from client RRAS port 11 cli 68.231.14.75)
> Delaying request 0 for 1 seconds
> Finished request 0
> 
> I have tried it with ntdomain_hack enabled but the outcome is the same.
> 
> If I don't include the Domain, I get authenticated no problem...so I
> figure all I need/want is to strip the user name out.

More information about the Freeradius-Users mailing list