Removing domain prefix from login
Phil Mayers
p.mayers at imperial.ac.uk
Fri Nov 11 08:41:24 CET 2011
On 11/10/2011 10:06 PM, Alan Buxey wrote:
> Hi,
>
>> As per the docs. This config item should not be used, and is causing
>> things to break.
>
> umm, wasnt there a discussion recently in which
>
> with_ntdomain_hack = yes
>
> was going to be set by default in FR 3.x ?
That was the option on the mschap module. That option does not modify
the packet, and only controls the string that is input into the mschap
challenge/response calculation. Since the RFC says that input string
should always be the username without leading DOMAIN\, it seems sensible
to change that default and rename the option to something like
"challenge_ignore_ntdomain" or something.
*This* option, unfortunately named the same thing, does something
different - it modifies the username in the packet to remove the DOMAIN\
which is almost never a good thing, and definitely not if you're using
EAP. It should probably just be removed - people can use unlang if they
really want to hack away at the username.
There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does
something different - it strips the DOMAIN\ when proxying the mschap to
a remote server. It should probably be renamed to "proxy_send_domain" or
something.
More information about the Freeradius-Users
mailing list