Can't add a $ sign to the ldap search

Phil Mayers p.mayers at imperial.ac.uk
Mon May 23 22:13:35 CEST 2011


On 05/23/2011 08:46 PM, Alexandros Gougousoudis wrote:
> Hi Phil,
> filter =
>>> "(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$))"
>>>
>>
>> Don't do that. Instead try:
>>
>> filter = "(uid=%{mschap:User-Name})"
>
> Hm, this is not working. I also don't get the point, why the username in
> mschap is mangled to have a $ or not?

The expansion %{mschap:User-Name} will expand as follows:

username -> username
DOMAIN\username -> username
host/name.domain.com -> name$

...which is correct in the cases people care about, and is the quickest 
and cleanest way to handle the various forms of usernames that windows sends

(On that note: it does not handle user at domain.com. It probably should...)

>
> The Windows-Worstation query their name as "host/workstation", which is
> workstation$ in my ldap. My Users are coming in as "user", so where else
> doing the lookup than in ldap module?

The %{mschap:User-Name} module is available anywhere, as long as the 
mschap module is instantiated. The request doesn't even have to be 
mschap - it gives back a modified version of the username.

If the "$" still isn't getting into the LDAP query, it might be 
something inside the LDAP module.



More information about the Freeradius-Users mailing list