FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

Phil Mayers p.mayers at
Wed Jan 9 12:27:54 CET 2013

On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
> Hi:
> I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
> For authentication I am using AD (ntlm_auth) and this works create. In
> the the request the username is sent as just the plain username (ie:
> mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
> My problem is on the authorization side in which I am using LDAP to grab
> the groups a user is in. In order to authentication against ldap my bind
> DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
> modify the User-Name or Stripped user name just for the LDAP

Don't modify the "User-Name" attribute; that can break certain auth types.

It's not really clear what you want to do, but you can either edit the 
LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local 
attribute "Full-User-Name" in raddb/dictionary - see the comments in 
there about attribute numbers - then reference that in your LDAP filters.

More information about the Freeradius-Users mailing list