Currently I want to authenticate users who enter EXAMPLE\bob or bob@example.com. Also I don't want to grant access to users who enter EXAMPLE.COM\bob or bob@EXAMPLE. To do this I defined two realms in proxy.conf: realm example.com { } realm EXAMPLE { } and modify server configuration: suffix if (ok) { find_dot_in_realm if (notfound) { reject } else { update control { &control:Tmp-String-0 := "(userPrincipalName=%{User-Name})" } } } ntdomain if (ok) { find_dot_in_realm if (ok) { reject } else { update control { &control:Tmp-String-0 := "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" } } } where find_dot_in_realm defined in policy: find_dot_in_realm_regexp = "^(.+)\.(.+)$" find_dot_in_realm { if (Realm && (Realm =~ /${policy.find_dot_in_realm_regexp}/)){ ok } else { notfound } } and defined filter for rlm_ldap configuration as filter = &control:Tmp-String-0 Is it the right approach or something can be done in a better or easier way ? Thanks, Andrei