Changing domain for ntlm_auth
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 25 20:54:19 CET 2012
On 01/25/2012 07:21 PM, NdK wrote:
> That's not doable. If mail is in unibo.it, domain is not unibo.it but
> PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it
> domain is STUDENTI.
Ok, so you've got >1 AD domain. Not terribly common, but it ought to
work with mapping as per the 2nd solution.
>
>> If you can't ignore the realm, you can do something like:
>> modules/mschap:
>> ...
>> ntlm_auth = ".. \
>> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
>> --nt-domain=%{%{Realm}:-DEFAULT}"
> More something like %{%{mschap:Domain}:-%{Realm}:-PERSONALE} ...
> [...]
> So I *can* insert unlang code there! Perfect!
No. This is not "unlang". It's just a string expansion.
Unlang is a processing "language" that is only valid inside the virtual
server "authorize", "post-auth", etc. sections. It's not valid in module
configs.
String expansions (which are valid in unlang) are valid most (not all)
places.
So:
1. Use "unlang" in authorize to set a string variable (e.g. Realm)
2. Use string expansions in the "ntlm_auth" config of the "mschap"
module to access the string variable.
More information about the Freeradius-Users
mailing list