Using ldap module to return variables to use in other modules.

J.R.Haynes J.Haynes at
Thu Aug 14 01:36:37 CEST 2014

On Wed, 13 Aug 2014 at 21:38 +0100, David Rickard wrote

> Hi all,
> Does anybody know where I'm going wrong with this? Is it even possible? 

  I think the problem is that you are not running the ntlm command which 
you are intending to run.

> I modified the ntlm module as follows:
>     exec ntlm_auth {
>                    wait = yes
>                    program = "/path/to/ntlm_auth --request-nt-key
>               --domain=MYDOMAIN --username=%{Bucks-samAccountName}
>               --password=%{User-Password}"
>            }

but the debug shows

> [mschap] Unknown expansion string "Bucks-sAMAccountName:-None"
> [mschap] expand: --username=%{mschap:Bucks-sAMAccountName:-None} -> --username=

i.e. the username parameter is using mschap xlat and there is no mchap 
xlat function called Bucks-sAMAccountName.

This is running the mschap module not your ntlm_auth module and that 
module is instantiated as

> Module: Instantiating module "mschap" from file  /etc/raddb/modules/mschap
>  mschap {
>        use_mppe = yes
>        require_encryption = no
>        require_strong = no
>        with_ntdomain_hack = no
>        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>    --username=%{mschap:Bucks-sAMAccountName:-None}
>    --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
>    --challenge=%{mschap:Challenge:-00}
>    --nt-response=%{mschap:NT-Response:-00}"
>        allow_retry = yes
>  }

You need to change the username parameter in there. The important point 
is that you don't want the 'mschap:'. I think it should be
  --username=%{%{Bucks-samAccountName}:-None} but you might need to check 
my syntax.

If MYDOMAIN is actually in your config you will also need to use your 
correct domain but this may be part of your sanitisation.

This is assuming that your samAccountName attribute is always going to be 
the username that ntlm_auth wants. If you need the manipulation that is 
performed by mschap:User-Name then I think you are out of luck as I don't 
think there is a way to tell the mschap:User-Name function to act on an 
arbitrary string - it alsways uses the User-Name attribute.


                              J. R. Haynes
                         Senior Network Specialist

      IT Department,                  e-mail: J.Haynes at
      Bld 63,
      Cranfield University,           Tel: Bedford (01234) 754205
      Wharley End,                         Bedford (01234) 750111 Extn 4205
      Cranfield,                      Fax: Bedford (01234) 751814
      MK43 0AL.

More information about the Freeradius-Users mailing list