Changing domain for ntlm_auth

Phil Mayers p.mayers at imperial.ac.uk
Wed Jan 25 18:24:37 CET 2012


On 01/25/2012 02:30 PM, NdK wrote:
> Il 25/01/2012 13:32, Phil Mayers ha scritto:
>
>>> To let (most (*)) users login with their e-mail address, I'd need to
>>> "translate" the realm part to a domain.
>> Why do you think this is true?
> 'cause ntlm_auth won't authenticate user.name at unibo.it or
> user.name at PERSONALE . It returns "no such user". It authenticates
> PERSONALE\user.name . Or "--username=user.name --domain=PERSONALE".

So don't pass that in.

> That's not FR-related. It's something in Win/AD, so I think there's
> nothing doable from FR to "fix" it.

Not so. You can configure FreeRADIUS to pass correct data.

There are many ways to do this. The "simplest" is something like follows:

modules/mschap:

   ...
   ntlm_auth = ".. \
     --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
     --nt-domain=YOUR-DOMAIN"

sites-enabled/whatever:

authorize {
   ...
   ntdomain
   suffix
   mschap
   ...
}

...and define the realms in your proxy.conf file.

This solution basically uses the "realm" module to strip the DOMAIN\user 
and user at domain.com into "user" and "DOMAIN / domain.com". You then 
ignore the realm in your ntlm_auth line - just hard-code it.

If you can't ignore the realm, you can do something like:


modules/mschap:

   ...
   ntlm_auth = ".. \
     --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
     --nt-domain=%{%{Realm}:-DEFAULT}"

sites-enabled/whatever:

authorize {
   ...
   suffix
   ntdomain
   # check and maybe re-write the realm
   if (Realm) {
    switch "%{Realm}" {
     case "SHORT" {
       # nothing to do, leave along
     }
     case "LONG.FORM" {
       update request {
         Realm := "SHORT"
       }
     }
     case {
       # unknown realm
       reject
     }
    }
   }
   mschap
}

Alternatively you can process the realm yourself using regexps. This 
gives you a bit more control. For example:

authorize {
   if (User-Name =~ /^SHORT\(.+)$/) {
     update request {
       Realm := SHORT
       Stripped-User-Name := "%{1}"
     }
   }
   elsif (User-Name =~ /^(.+)@long.com/i) {
     update request {
       Realm := SHORT
       Stripped-User-Name := "%{1}"
     }
   }
   ...
}

...and so on.

Basically, YOU control what data is passed to ntlm_auth, and FreeRADIUS 
provides several methods to control this.

All you need to do is:

  1. Write down a list of which formats you want to allow
  2. Write a FreeRADIUS config that allows those formats, and passes the 
correct data into ntlm_auth

If you need more specific help, just ask. But please try to read the 
docs for "man unlang" and the many, many examples in the default configs 
and in the list archives.



More information about the Freeradius-Users mailing list