Multi-domain AD [Kudos]

McNutt, Justin M. McNuttJ at missouri.edu
Wed Feb 1 23:12:22 CET 2012


Btw, kudos to Alan DeKok and the rest of the FR developers for these FR abilities.  The things listed here were INVALUABLE to figuring all of this out without just guessing:

1)  "radiusd -XC"  You just can't live without this.  Seriously.

2)  "radiusd -X"    It's there for a reason.  Specifically,

3)  THIS (from radiusd -X):

++? if (User-Name =~ /host\/[^\.]+\.(.+)/ )
? Evaluating (User-Name =~ /host\/[^\.]+\.(.+)/) -> FALSE
++? if (User-Name =~ /host\/[^\.]+\.(.+)/ ) -> FALSE
++? elsif (User-Name =~ /([^\/]+)\/(.+)/ )
? Evaluating (User-Name =~ /([^\/]+)\/(.+)/) -> FALSE
++? elsif (User-Name =~ /([^\/]+)\/(.+)/ ) -> FALSE

4)  and THIS:

[mschap] Told to do MS-CHAPv2 for tmpid with NT-Password
[mschap] expand: %{My-User-Name} ->
[mschap] expand: %{mschap:User-Name} -> tmpid
[mschap] expand: --username=%{%{My-User-Name}:-%{mschap:User-Name}} -> --username=tmpid
[mschap] expand: %{My-NT-Domain} ->
[mschap] expand: %{mschap:NT-Domain} -> testing
[mschap] expand: --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} -> --domain=testing

5)  and last, but certainly not least, "man unlang".  It won't read itself, yanno!

It may not be the best way to do it, but it works, and I couldn't have done it without all of these debugging features.  It's what my Linux sysadmin calls "awesome sauce."

--J

From: Z <mcnuttj at missouri.edu<mailto:mcnuttj at missouri.edu>>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Date: Wed, 1 Feb 2012 21:57:02 +0000
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Subject: Multi-domain AD and Users Who Aren't So Bright

So I'm working on a way to Improve the User Experience.  I've gotten a LONG way, but now I'm stuck.  Here's the short/long version (all details, without undue explanation or discussion of what I tried that doesn't work):

WARNING:  This may well be a case of doing it the hard way.  If that's the case, feel free to tell me, but it's not for lack of trying to research this via Google, searching archives of this list, etc.  Just tell me what I'm doing wrong.  I can handle it.  ;)

Okay, here goes:






More information about the Freeradius-Users mailing list