FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 10 12:15:21 CET 2013
On 01/09/2013 08:42 PM, Matthew Ceroni wrote:
> It appears that when Windows sends the username it sends it as
> DOMAIN\\username.
>
> The \\ causes the 5c to appear in the username. I confirmed this by
> using the radtest tool and specifying the username as DOMAIN\\username.
> A single \ causes the username to appear as DOMAINusername so that is
> why double \\ are required.
No, you're misunderstanding what is going on.
"\" is the string escape character e.g. "\n" is "newline", "\t" is tab,
etc/. So to put a "\" in a quoted string needs "\\". FreeRADIUS in debug
mode is printing the same thing you would have to type.
That is, windows is only sending "DOMAIN\username"
"\" is then LDAP-escaped to \5c as per normal LDAP escaping rules.
As to why it's not working - I seriously doubt that you actually have:
sAMAccountNAme: DOMAIN\user
...in Active Directory. Are you sure this is what you have?
More information about the Freeradius-Users
mailing list