choose proxy based on AD
David McPike
davidmcpike at gmail.com
Thu Sep 30 17:40:59 CEST 2010
>> In other words, if I proxy to the old radius server, the username
>> needs to be realm\user again.
>
> Set "nostrip" in the realm configuration.
I finally have a solution. I wanted to keep strip enabled because I
have to perform the LDAP query on the stripped username. So, I added
the following logic to pre-proxy {}:
# non-migrated old child domain user
if ("%{control:Proxy-To-Realm}" != "newrealm" && Realm) {
update proxy-request {
User-Name := "%{Stripped-User-Name}@%{Realm}"
}
}
This allows me to authenticate all child domain users from a single
old parent domain controller instead of having IAS servers installed
in every child domain.
I just had to re-read the unlang man page enough times to get all the pieces.
Thanks for all your help!
David
More information about the Freeradius-Users
mailing list