UserPrincipalName with ntlm_auth, trying to get it "right"

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Wed Jan 13 22:47:30 CET 2016


Dear List

I have a setup where users should move to using their UserPrincipalName
which conveniently matches their mail adddress.
(something they tend to remember easily)

Now ntlm_auth doesn't quite like UPNs, it wants a sAMAccountName, I
found about that.

If sAMAccountName was equal the first part of the UPN, i found the
following in proxy.conf would give me the first part of the given UPN
as Stripped-User-Name (since no nostrip option) and continue to process
things locally.

realm "thissuffix.tld" {
        authhost = LOCAL
        accthost = LOCAL
}

However in this directory the *prefix in the UPN doesn't match with the
sAMAccountname* (for $anyreason). ntlm_auth obviously fails there.

I came across a thread on UPN usage from early 2015 (and couple others),
yet I couldn't come across something giving me a clearer idea.*

My current impression is that at some point, if given a UPN, an LDAP
search should be done first to return the samaccountname. Then use that
with the ntlm_auth binary in modules/mschap to check credentials and do
the MSCHAP challenge.

Am I on the right track? - I saw something on stackoverflow using a bash
script that is executed via mods-available/mschap**, but not sure about
that yet if that's the right place.

I'm thankful for any pointer into the right direction.

Let alone that AD domain computers should be able to still authenticate
with their own format that Windows clients use instead of the UPN when
they are part of a domain...

-- Mathieu


*
http://lists.freeradius.org/pipermail/freeradius-users/2015-January/075376.html

**
https://serverfault.com/questions/686470/active-directory-freeradius-ntlm-auth-mail-attribute


More information about the Freeradius-Users mailing list