realms and Windows domain

Craig White craigwhite at azapple.com
Sat Dec 6 20:07:30 CET 2008 

freeradius-1.1.3-1.2.el5

LDAP authentication (OpenLDAP)

I am mostly working now but I do get failures if a user has the Windows
Domain set to any value at all which of course means that the
authentication is passed as DOMAIN\user and I want it to strip out the
DOMAIN\ part and just keep the user so Windows laptops would just
automatically authenticate current logged in user.

Not sure this is necessary but this is the debug of what is happening...

rlm_ldap: - authorize
rlm_ldap: performing user authorization for MyOrg\craigwhite
radius_xlat:  '(uid=MyOrg\5c\5ccraigwhite)'
radius_xlat:  'ou=People,ou=Accounts,o=MyOrg,c=US'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: bind as cn=admin,o=MyOrg,c=US/pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with
filter (uid=MyOrg\5c\5ccraigwhite)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
  rlm_mschap: Told to do MS-CHAPv2 for MyOrg\craigwhite with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 0
modcall: leaving group MS-CHAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [MyOrg\\craigwhite/<no
User-Password attribute>] (from client RRAS port 11 cli 68.231.14.75)
Delaying request 0 for 1 seconds
Finished request 0

I have tried it with ntdomain_hack enabled but the outcome is the same.

If I don't include the Domain, I get authenticated no problem...so I
figure all I need/want is to strip the user name out.

Craig

More information about the Freeradius-Users mailing list