UserPrincipalName with ntlm_auth, trying to get it "right"

Alan DeKok aland at
Thu Jan 14 16:53:19 CET 2016

On Jan 14, 2016, at 10:47 AM, Mathieu Simon (Lists) <matsimon.lists at> wrote:
> That's what I somewhat ended up, learning another thing or two about
> FreeRADIUS: rlm_ldap is really different with 3.0 than 2.2, basically
> ldap.attrmap seems gone and I was looking in the wrong place.
> Alan: However even the branch for 3.1 doc/modules/ldap_howto.rst
> mentions it - is that still valid?

  No.  I'll go fix that.

> It seems getting the value from LDAP during a request is pretty easy
> after all, no need for extra scripts... hmm.

  Yes.  3.0 / 3.1 are *much* simpler than version 2 for a lot of things.

> Then mschap used the obtained LDAP attribute instead of User-Name. That
> seemed to work after with eapol_test and some real devices.

  If it works, it works... but there's no *guarantee* it will always work.

> Both "needs" both ways to be accepted. Would it be better to proxy all
> requests with a domain suffix to another (virtual) server and have
> rlm_mschap and rlm_ldap configured there differently for this purpose?

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list