FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

Matthew Ceroni matthewceroni at
Wed Jan 9 21:42:06 CET 2013

It appears that when Windows sends the username it sends it as

The \\ causes the 5c to appear in the username. I confirmed this by using
the radtest tool and specifying the username as DOMAIN\\username. A single
\ causes the username to appear as DOMAINusername so that is why double \\
are required.


On Wed, Jan 9, 2013 at 12:18 PM, Matthew Ceroni <matthewceroni at>wrote:

> Phil:
> Thanks for the response. My understanding of what was happening with LDAP
> was actually incorrect. I thought it was binding as the admin DN I provided
> and then re-binding as the user that is trying to authenticate. The message
> returned was "No known good password found for user". Which is just a
> WARNING and caused because AD doesn't return the password when querying via
> LDAP. So no big deal. It was actually doing what I wanted.
> Until things got a little strange.
> [ldap] performing user authorization for DOMAIN\usrtest
> [ldap] expand: %{Stripped-User-Name} ->
> [ldap] ... expanding second conditional
> [ldap] expand: %{User-Name} -> DOMAIN\5cusrtest
> [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (samAccountName=DOMAIN\5cusrtest)
> [ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN
> OU,dc=domain,dc=local
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter
> (samAccountName=DOMAIN\5cusrtest)
>   [ldap] object not found
> [ldap] search failed
> As you can see it says performing authorization for DOMAIN\usrtest but
> then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c
> comes from I have no idea. Any thoughts?
> On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <p.mayers at>wrote:
>> On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
>>> Hi:
>>> I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
>>> For authentication I am using AD (ntlm_auth) and this works create. In
>>> the the request the username is sent as just the plain username (ie:
>>> mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
>>> My problem is on the authorization side in which I am using LDAP to grab
>>> the groups a user is in. In order to authentication against ldap my bind
>>> DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I
>>> modify the User-Name or Stripped user name just for the LDAP
>> Don't modify the "User-Name" attribute; that can break certain auth types.
>> It's not really clear what you want to do, but you can either edit the
>> LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local
>> attribute "Full-User-Name" in raddb/dictionary - see the comments in there
>> about attribute numbers - then reference that in your LDAP filters.
>> -
>> List info/subscribe/unsubscribe? See**
>> list/users.html <>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list