FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization
p.mayers at imperial.ac.uk
Wed Jan 9 12:27:54 CET 2013
On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
> I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
> For authentication I am using AD (ntlm_auth) and this works create. In
> the the request the username is sent as just the plain username (ie:
> mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
> My problem is on the authorization side in which I am using LDAP to grab
> the groups a user is in. In order to authentication against ldap my bind
> DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
> modify the User-Name or Stripped user name just for the LDAP
Don't modify the "User-Name" attribute; that can break certain auth types.
It's not really clear what you want to do, but you can either edit the
LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local
attribute "Full-User-Name" in raddb/dictionary - see the comments in
there about attribute numbers - then reference that in your LDAP filters.
More information about the Freeradius-Users