New User and AD Question
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 2 16:01:32 CET 2011
On 02/03/11 14:43, McNutt, Justin M. wrote:
> So in the short term, I'd like to figure out a way to automatically
> match the DNS-style domain name based on the User-Name variable and
> update the NT-Domain variable so ntlm_auth will work for more cases.
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
There's no attribute you can "set", so you'll need to use another
attribute (see my other email)
>
> Depending upon how this is implemented - what I'm about to say may
> not be necessary - I'd like to see a flag for the mschap module that
> choose between the "NT-style domain guessing" (which results in "col"
> in this case) and "DNS-style domain guessing" (which would take
> everything after the first dot as the domain. I think that might
> result in a cleaner solution in the long term.
>
> I think it should be a flag - set to the current "NT-style guessing
> as the default - to maintain backward compatibility an ease of
> removal in case it turns out to be a Very Bad Idea Indeed.
>
> What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work
either if you have a disjoint DNS/AD namespace. In that case, sites are
going to have to use locally-defined rules.
More information about the Freeradius-Users
mailing list