Multi-domain AD and Users Who Aren't So Bright

Thu Feb 2 14:16:02 CET 2012

Il 01/02/2012 22:57, McNutt, Justin M. ha scritto:
> So I'm working on a way to Improve the User Experience.  I've gotten a LONG way, but now I'm stuck.  Here's the short/long version (all details, without undue explanation or discussion of what I tried that doesn't work):
Done nearly the same just some days ago.

> 1)  I created two custom attributes named "My-NT-Domain" and "My-User-Name" and added them to the dictionary file as 3003 and 3004, respectively.
I have had no need to create those. Just added, in policy.conf:
unibo_map_realms {
   if (User-Name =~ /^(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?\(.+)$/i ) {
       update request {
         Realm := "%{1}"
         Stripped-User-Name := "%{3}"
        }
   }
   elsif (User-Name =~
/^(.+)@(PERSONALE|STUDENTI)(\\.DIR\\.UNIBO\\.IT)?$/i ) {
[... and so on for the various forms...]
Then added to proxy.conf:
# LOCAL domains: *unibo.it
realm "~^(.*\\.)?unibo\\.it" {
}
to handle "mail-like" domains locally and finally added to default and
inner-tunnel a call to unibo_map_realms at the very beginning of
authorize section.

> 3)  I changed /etc/raddb/modules/mschap to call ntlm_auth like this:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{My-User-Name}:-%{mschap:User-Name}} --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
No extra attributes needed in my case.

> NOW we want to be able to have a user authenticate without specifying a domain.  In theory, that's no big deal.  If the users NEVER specify a domain at all, I can populate my custom attributes with this:
[...]
> NOW, the problem is that if the user DOES specify "domain\username" correctly, then none of the "cleanup" cases match, so My-NT-Domain is empty.  But since my custom attribute is empty, the Perl script is being called unnecessarily to run the LDAP search.
What about checking both your attribute and the mschap:NT-Domain just
after 'suffix' and 'ntdomain' entries?

BTW, do you see win setting a domain when the "use login credentials"
checkbox (for mschapv2 options) is set? I always only see just the
username... That might be good for your script...

BYtE,
 Diego.