Changing domain for ntlm_auth

Phil Mayers p.mayers at
Wed Jan 25 20:54:19 CET 2012

On 01/25/2012 07:21 PM, NdK wrote:

> That's not doable. If mail is in, domain is not but
> PERSONALE. Same if mail is in . But for
> domain is STUDENTI.

Ok, so you've got >1 AD domain. Not terribly common, but it ought to 
work with mapping as per the 2nd solution.

>> If you can't ignore the realm, you can do something like:
>> modules/mschap:
>>    ...
>>    ntlm_auth = ".. \
>>      --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
>>      --nt-domain=%{%{Realm}:-DEFAULT}"
> More something like %{%{mschap:Domain}:-%{Realm}:-PERSONALE} ...
> [...]
> So I *can* insert unlang code there! Perfect!

No. This is not "unlang". It's just a string expansion.

Unlang is a processing "language" that is only valid inside the virtual 
server "authorize", "post-auth", etc. sections. It's not valid in module 

String expansions (which are valid in unlang) are valid most (not all) 


  1. Use "unlang" in authorize to set a string variable (e.g. Realm)
  2. Use string expansions in the "ntlm_auth" config of the "mschap" 
module to access the string variable.

More information about the Freeradius-Users mailing list