FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

Matthew Ceroni matthewceroni at
Wed Jan 9 21:18:50 CET 2013


Thanks for the response. My understanding of what was happening with LDAP
was actually incorrect. I thought it was binding as the admin DN I provided
and then re-binding as the user that is trying to authenticate. The message
returned was "No known good password found for user". Which is just a
WARNING and caused because AD doesn't return the password when querying via
LDAP. So no big deal. It was actually doing what I wanted.

Until things got a little strange.

[ldap] performing user authorization for DOMAIN\usrtest
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> DOMAIN\5cusrtest
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter
  [ldap] object not found
[ldap] search failed

As you can see it says performing authorization for DOMAIN\usrtest but then
says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c comes
from I have no idea. Any thoughts?

On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <p.mayers at> wrote:

> On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
>> Hi:
>> I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
>> For authentication I am using AD (ntlm_auth) and this works create. In
>> the the request the username is sent as just the plain username (ie:
>> mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
>> My problem is on the authorization side in which I am using LDAP to grab
>> the groups a user is in. In order to authentication against ldap my bind
>> DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
>> modify the User-Name or Stripped user name just for the LDAP
> Don't modify the "User-Name" attribute; that can break certain auth types.
> It's not really clear what you want to do, but you can either edit the
> LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local
> attribute "Full-User-Name" in raddb/dictionary - see the comments in there
> about attribute numbers - then reference that in your LDAP filters.
> -
> List info/subscribe/unsubscribe? See**
> list/users.html <>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list