mschap:User-Name and DOM\user versus user at DOM.EXAMPLE.COM
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 25 15:00:01 CEST 2007
All,
A few facts first;
Windows seems to "know" about both DOM\user and user at DOM.EXAMPLE.ORG
formats for usernames; when generating an mschap response, it only ever
user the "user" portion.
ntlm_auth seems to take *exactly* what you put into the command line;
that is, it does NO stripping of DOM\user or user at DOM.EXAMPLE.ORG
rlm_mschap registers several expansions, including mschap:User-Name -
this particular expansion performs the following transforms:
host/name.dom.example.org -> name$
DOM\user -> user
I'm wondering if it would be sensible to add the following transform to
the above list:
user at DOM.EXAMPLE.ORG -> user
The rationale being thus: if you want to support both prefix and suffix
forms of the realm *and* machine based auth, you have to use the
slightly non-intuitive syntax:
ntlm_auth --username=%{Stripped-User-Name:-%{mschap:User-Name}}
and have :
modules {
realm suffix {
format = suffix
delimiter = "@"
ignore_null = yes
}
realm ntdomain {
format = prefix
delimiter = "\"
ignore_null = yes
}
}
authorize {
preprocess
prefix
suffix
mschap
}
If the @suffix transform were in mschap, it would be possible to
dispense with the realm modules entirely, and just use:
ntlm_auth --username=%{mschap:User-Name}
Comments?
More information about the Freeradius-Users
mailing list