Changing domain for ntlm_auth

NdK ndk.clanbo at gmail.com
Wed Jan 25 20:21:01 CET 2012


Il 25/01/2012 18:24, Phil Mayers ha scritto:

> There are many ways to do this. The "simplest" is something like follows:
> modules/mschap:
>   ...
>   ntlm_auth = ".. \
>     --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
>     --nt-domain=YOUR-DOMAIN"
That's not doable. If mail is in unibo.it, domain is not unibo.it but
PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it
domain is STUDENTI.

> sites-enabled/whatever:
> authorize {
>   ...
>   ntdomain
>   suffix
>   mschap
>   ...
> }
> ...and define the realms in your proxy.conf file.
That's what I was trying :)

> This solution basically uses the "realm" module to strip the DOMAIN\user
> and user at domain.com into "user" and "DOMAIN / domain.com". You then
> ignore the realm in your ntlm_auth line - just hard-code it.
Can't hardcode.

> If you can't ignore the realm, you can do something like:
> modules/mschap:
>   ...
>   ntlm_auth = ".. \
>     --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
>     --nt-domain=%{%{Realm}:-DEFAULT}"
More something like %{%{mschap:Domain}:-%{Realm}:-PERSONALE} ...
[...]
So I *can* insert unlang code there! Perfect!

> Basically, YOU control what data is passed to ntlm_auth, and FreeRADIUS
> provides several methods to control this.
It's enough to know where those controls can be placed :)

> If you need more specific help, just ask. But please try to read the
> docs for "man unlang" and the many, many examples in the default configs
> and in the list archives.
I tried (I always try for at least a couple hours before posting a
question)... But without knowing what you're looking for it's hard to
dig it...

Tks. I think w/ these infos I'll be OK.

BYtE,
 Diego.



More information about the Freeradius-Users mailing list