On 21/06/16 15:02, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Like when AD domain is @private.dom.my / PRIVATE and radius will absolutely need this. At the moment having configs constructed of bits from wikis/howtos, both: "me@private.dom.my" and "me" get authenticated. unlang.
in fact, recent releases of the server come with many default policies which will do this sort of check/enforcement for you (because they are useful...eg for eduroam!)
either invoke the policy (call it by its name in the virtual server config) or use unlang directly int he authorize section eg
if( User-Name !~ /@/ ) { update reply { Reply-Message = "no realm defined" } reject }
alan thanks guys, Alan, when I try what you shared earlier it works, almost perfect, probably because my (unusual?) setup it fails in one place. Here is what I'm hoping to achieve - local domain (freeipa's ldap) and samba being a client to an AD (all same one box) Radius' a) ldap backend, b) ntlm/winbind backend to AD Now radius authentication fails like I wanted, if auth request does not include @realm. Config (default) goes like this:
authorize .. ntlm_auth if (&User-Name !~ /@private.dom.my$/i) { reject } } I'm not trying it as in a policy yet. It fails now for users like "me" which do exist in ldap (again, all local, locally freeipa ldap). I see ldap is being tried but then radius moves over to ntlm and fails. Care to share more thoughts - I'll be grateful.