Il 25/01/2012 12:48, Alan DeKok ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to "translate" the realm part to a domain. I'm not sure why. Because KRB5-domain and DNS-domain are different in my setup. And I can't change it.
So I added to proxy.conf : ... realm "~^studio\\.unibo\\.it" { Realm := "STUDENTI" } Huh? NOTHING in the documentation or examples says that should work. It won't work. Don't do it. Ok.
What I thought it would do was "if user name is like '@studio.unibo.it' then set REALM to be local 'STUDENTI'" but obviously I was wrong... The server documentation describes how it works. Follow the documentation to configure it. But what should I do? In other words, *which* doc should I follow? How is the needed feature named?
I'm not sure you can change the domain for PEAP with ntlm_auth. The domain is *also* in the MS-CHAP data. So changing it in the arguments to ntlm_auth will likely not work. I *think* it works by omitting the domain from checks, just like when considering NT domain...
If I authenticate using user@PERSONALE it works perfectly. What am I missing? It doesn't work the way you think it works. It works the way it's documented to work. I know. But I couldn't find the doc to read...
(*) Just 'most' users since I couldn't yet find a way to use the UPN, so users whose UPN have been changed must login with their 'base' name. Don't think there's an easy fix for this, since even joined win machines *sometimes* refuse the changed UPN... Have the users change their login domain. Those "pathologic" cases have to change. But it's usually much better to let 99% of the users authenticate in the same way on all the services...
BYtE, Diego.