New User and AD Question
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 2 15:58:41 CET 2011
>
> Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4)
> +- entering group post-auth {...}
> ++[exec] returns noop
> } # server campus-eap
> Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
>
> Bad news:
>
> I have a multi-domain environment. If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate. How can I make it recognize the others and behave correctly?
>
> It's fine if I have to write some code using string matching and switch/case. But I can't restrict access to only one domain.
I think you'll have to do that. The tedious bit is matching the domains
in the regexps.
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain 3003 string
...and set this in your regexps:
if (User-Name =~ /host[/].+[.]domain.com/) {
update request {
My-NT-Domain = "DOMAIN.COM"
}
}
elsif (...) {
}
...then in your ntlm_auth helper, do:
ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
More information about the Freeradius-Users
mailing list