<div dir="ltr">Phil:<div><br></div><div style>Thanks for the response. My understanding of what was happening with LDAP was actually incorrect. I thought it was binding as the admin DN I provided and then re-binding as the user that is trying to authenticate. The message returned was "No known good password found for user". Which is just a WARNING and caused because AD doesn't return the password when querying via LDAP. So no big deal. It was actually doing what I wanted.</div>
<div style><br></div><div style>Until things got a little strange.</div><div style><br></div><div style><div>[ldap] performing user authorization for DOMAIN\usrtest</div><div>[ldap] <span class="" style="white-space:pre"> </span>expand: %{Stripped-User-Name} -> </div>
<div>[ldap] <span class="" style="white-space:pre"> </span>... expanding second conditional</div><div>[ldap] <span class="" style="white-space:pre"> </span>expand: %{User-Name} -> DOMAIN\5cusrtest</div><div>[ldap] <span class="" style="white-space:pre"> </span>expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=DOMAIN\5cusrtest)</div>
<div>[ldap] <span class="" style="white-space:pre"> </span>expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN OU,dc=domain,dc=local</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div>
<div> [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter (samAccountName=DOMAIN\5cusrtest)</div><div> [ldap] object not found</div><div>[ldap] search failed</div><div><br></div><div style>As you can see it says performing authorization for DOMAIN\usrtest but then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c comes from I have no idea. Any thoughts?</div>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 01/09/2013 12:43 AM, Matthew Ceroni wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi:<br>
<br>
I am running FreeRadius version 2.1.12 on a CentOS 6 machine.<br>
<br>
For authentication I am using AD (ntlm_auth) and this works create. In<br>
the the request the username is sent as just the plain username (ie:<br>
mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.<br>
<br>
My problem is on the authorization side in which I am using LDAP to grab<br>
the groups a user is in. In order to authentication against ldap my bind<br>
DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I<br>
modify the User-Name or Stripped user name just for the LDAP<br>
</blockquote>
<br></div>
Don't modify the "User-Name" attribute; that can break certain auth types.<br>
<br>
It's not really clear what you want to do, but you can either edit the LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local attribute "Full-User-Name" in raddb/dictionary - see the comments in there about attribute numbers - then reference that in your LDAP filters.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br></div>