New User and AD Question
McNutt, Justin M.
McNuttJ at missouri.edu
Wed Mar 2 18:11:46 CET 2011
> %{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
> There's no attribute you can "set", so you'll need to use another
> attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very likely do-able.
> > I think it should be a flag - set to the current "NT-style guessing
> > as the default - to maintain backward compatibility an ease of
> > removal in case it turns out to be a Very Bad Idea Indeed.
> >
> > What do you think?
>
> I agree. However, as I say - I am pretty sure that long-form won't work
> either if you have a disjoint DNS/AD namespace. In that case, sites are
> going to have to use locally-defined rules.
I'm not following what you mean about "disjoint namespace". You mean the difference between "UMC-USERS" and "col.missouri.edu"? I think of "UMC-USERS" as "NT namespace" whereas I see AD and DNS as the same thing, in this case.
In any event, in the test cases where I hard-coded one of the domain names into the ntlm_auth string, I used "col.missouri.edu" (DNS/long form) and this worked. So I'm confident in that part. I'd just like to see it done automatically, given a user flag that asks it to do so.
--J
More information about the Freeradius-Users
mailing list