On 05/02/2024 15:53, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users wrote:
Our email addresses are different form our UPNs which why we need to convert the email supplied
OK.
in the EAP-TLS client cert.
I suspect you mean in the RADIUS request? If you're using EAP-TLS with a client cert then you very likely won't also be using ntlm_auth.
This is what I found to convert the supplied email address into a usable AD username:
Ouch, OK.
The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth:
More awful advice on the Internet :(
ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} % {mschap:NT-Response:-00}"
Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command?
Yes, you can do all of this directly from within FreeRADIUS. Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in there the "update" section (not the same as unlang's update) where you can map LDAP attributes to RADIUS attributes. So you will want something like update { request:Tmp-String-1 := 'extensionAttribute15' } then assuming a good LDAP search the &Tmp-String-1 attribute will contain the value of the 'extensionAttribute15' LDAP attribute - which you can use in e.g. the ntlm_auth command, or preferably with the direct winbind configuration in mschap. You will need to use the filters etc in the ldap module configuration to look up the correct entry. If you need to modify the attributes used in the lookup then use regular expressions or similar in unlang to transform the data before calling the ldap module. -- Matthew