Could'nt authenticate windows host account with freeradius + ldap backend + samba domain controller

Alan DeKok aland at
Sat Dec 15 08:35:05 CET 2007

david.barbion at wrote:
> Hello,
> The problem is when a computer tries to authenticate, the User-Name sent
> is "host//computername/", but in ldap we have entrie like
> /computername/$. So we have some attr_rewrite that removes host/ and
> adds the dollar sign.

  Why?  You can just create a *new* attribute, Stripped-User-Name, with
the updated contents.  Then, configure the ldap module to look first for
Stripped-User-Name, and then User-Name:

  foo = "... %{Stripper-User-Name:%{User-Name}} ..."

  See doc/variables.txt

> rlm_ldap finds correctly the entry, but EAP
> complains about the user name change: "*rlm_eap: Identity does not match
> User-Name, setting from EAP Identity.**
>  rlm_eap: Failed in handler"

  Then... don't edit the User-Name.  There's no need to edit it.

  Alan DeKok.

More information about the Freeradius-Users mailing list