force/require @domain/part
lejeczek
peljasz at yahoo.co.uk
Wed Jun 22 11:12:11 CEST 2016
On 21/06/16 15:02, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Like when AD domain is @private.dom.my / PRIVATE and radius will
>> absolutely need this. At the moment having configs constructed of
>> bits from wikis/howtos, both: "me at private.dom.my" and "me" get
>> authenticated.
> unlang.
>
>
> in fact, recent releases of the server come with many default policies which
> will do this sort of check/enforcement for you (because they are useful...eg for eduroam!)
>
>
> either invoke the policy (call it by its name in the virtual server config) or use unlang directly
> int he authorize section eg
>
> if( User-Name !~ /@/ ) {
> update reply {
> Reply-Message = "no realm defined"
> }
> reject
> }
>
>
> alan
thanks guys,
Alan, when I try what you shared earlier it works, almost
perfect, probably because my (unusual?) setup it fails in
one place.
Here is what I'm hoping to achieve - local domain (freeipa's
ldap) and samba being a client to an AD (all same one box)
Radius' a) ldap backend, b) ntlm/winbind backend to AD
Now radius authentication fails like I wanted, if auth
request does not include @realm. Config (default) goes like
this:
authorize
..
ntlm_auth
if (&User-Name !~ /@private.dom.my$/i) {
reject
}
}
I'm not trying it as in a policy yet.
It fails now for users like "me" which do exist in ldap
(again, all local, locally freeipa ldap). I see ldap is
being tried but then radius moves over to ntlm and fails.
Care to share more thoughts - I'll be grateful.
More information about the Freeradius-Users
mailing list