Multi-domain AD and Users Who Aren't So Bright

[NdK]

Il 03/02/2012 18:57, Phil Mayers ha scritto:

> FreeRADIUS is a bit complex in this area, because of the age of the code
> involved. But basically:
>  1. "with_ntdomain_hack = yes" on the mschap module strips leading DOMAIN\
So it's not an "hack". It's "follow_mschap_specs" :)

>  2. Otherwise, you have to populate Stripped-User-Name yourself
That's what I'm currently doing. Being the phylosophy "build by little
steps", all the "domain logins" already work. Even "login with mail" for
users w/o UPN change works. It could even be enough, but my hacking
genes would be really upset if I didn't try everything... :)

> Really, with_ntdomain_hack should be renamed "strip_domain", should
> strip either leading DOMAIN\ or trailing @domain.com, and should default
> to "on".
Shouldn't that be handled by 'suffix' ?

> I need to write a patch for 3.0 which does this.
Good.

>> the 'base name' would be user.name3, but the old UPN gets set for
>> user.name2 and u.name now "points" to user.name3 . So the mail address
>> is 'constant' even if the 'internal identity' changes. That person keeps
>> logging in as u.name at unibo.it .
> That sounds complicated.
It is. Historical reasons ('we' started usin AD ages ago... even M$
techs gave up on our setup :) ). The same for having multiple domains:
even M$ (at that time) didn't know if a single domain could handle about
500K users. *Now* we all know it can, and it's about 6 years a team is
working to try to "collapse" the forest in a single tree.

> Maybe. I think you're doing something complicated and weird, and I don't
> think you should be surprised if it doesn't work well in some cases. I
> don't think userPrincipalName is meant to be used that way.
Neither do I, but others thought so and now it can't be changed (at
least not easily, and for sure not by me)...
If it won't work, I'll be confident it's impossible to make it work
within our environment. But if I make it work, it could be useful for
others.

BYtE,
 Diego.