Hello.
Why not? There's a reason that the ntlm_auth configuration is editable in the mschap module. Just edit it to do whatever you want. If all else fails, replace ntlm_auth with a Perl script that looks at the environment variables, and determines the proper arguments to use.
Ahem. From my original message you may have read that your suggestion describes precisely what I am trying to implement, and that modifying the parameters passed to ntlm_auth is exactly my intention. I also understand that I could use a wrapper script or possibly do all sorts of things with %{exec:} and/or %{expr:}. I could also do some simple text mangling with the User-Name attribute as passed by the XP supplicant. However, the most elegant way of working around the servicePrincipalName that XP seems to provide when no user is logged on[1], would be to query MSAD for the corresponding sAMAccountName, and use that for NTLM authentication. I could write some Perl or Python or shell script that retrieves that information from MSAD, invoke that script via %{exec:}, and put its output in the ntlm_auth command arguments (or invoke it instead of ntlm_auth, for that matter). However, it seems sort of ridiculous to run an additional LDAP query for just that purpose, considering all the relevant information should already be available to FreeRADIUS at that point. So, to clarify my original question. What I want is this: 1. Put the value of an LDAP attribute (sAMAccountName) into a variable when the user is authorized in LDAP. 2. Access that variable when the user is being authenticated via MS-CHAPv2, and put it into the --username argument of ntlm_auth. I do understand that this would require registering said variable in dictionary and ldap.attrmap. I also understand that I need to set up a proper filter in the configuration of the ldap module, for correct authorization of the "user" that's being identified by it servicePrincipalName in this case. I have done all that. What else would I need, if what I'm trying to do is at all possible? Cheers, Florian [1] Yes, a rant about the XP supplicant providing "wrong" data in this case is in order, however that's not going to persuade my customer to switch to Ubuntu. :-) The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof.