New User and AD Question

Phil Mayers p.mayers at
Wed Mar 2 16:01:32 CET 2011

On 02/03/11 14:43, McNutt, Justin M. wrote:

> So in the short term, I'd like to figure out a way to automatically
> match the DNS-style domain name based on the User-Name variable and
> update the NT-Domain variable so ntlm_auth will work for more cases.

%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. 
There's no attribute you can "set", so you'll need to use another 
attribute (see my other email)

> Depending upon how this is implemented - what I'm about to say may
> not be necessary - I'd like to see a flag for the mschap module that
> choose between the "NT-style domain guessing" (which results in "col"
> in this case) and "DNS-style domain guessing" (which would take
> everything after the first dot as the domain.  I think that might
> result in a cleaner solution in the long term.
> I think it should be a flag - set to the current "NT-style guessing
> as the default - to maintain backward compatibility an ease of
> removal in case it turns out to be a Very Bad Idea Indeed.
> What do you think?

I agree. However, as I say - I am pretty sure that long-form won't work 
either if you have a disjoint DNS/AD namespace. In that case, sites are 
going to have to use locally-defined rules.

More information about the Freeradius-Users mailing list