UserPrincipalName with ntlm_auth, trying to get it "right"

Mathieu Simon (Lists) matsimon.lists at
Fri Jan 15 09:44:15 CET 2016


Am 14.01.2016 um 16:53 schrieb Alan DeKok:
>> Alan: However even the branch for 3.1 doc/modules/ldap_howto.rst
>> mentions it - is that still valid?
>   No.  I'll go fix that.
Thanks, I simply stumbled upon this when grepping through the source.
>> It seems getting the value from LDAP during a request is pretty easy
>> after all, no need for extra scripts... hmm.
>   Yes.  3.0 / 3.1 are *much* simpler than version 2 for a lot of things.
Definitely, I need to get those version 2 habits out of my brain...

>> Then mschap used the obtained LDAP attribute instead of User-Name. That
>> seemed to work after with eapol_test and some real devices.
>   If it works, it works... but there's no *guarantee* it will always work.

I see eduroam folks use a username at homeorg.tld format which does look
like a UPN (maybe on their backend it isnt). I'd also guess that some
organizations have Active Directory as backend, and I see some also use
PEAP-MSCHAPv2 ... thus there must be similarities to what I have here.

If anyone on this is willing to share how they did it, that would be
interesting to hear and how (well) it works for them. I hope I could
then avoid stumbling into a potential pitfall with MSCHAP...

>> Both "needs" both ways to be accepted. Would it be better to proxy all
>> requests with a domain suffix to another (virtual) server and have
>> rlm_mschap and rlm_ldap configured there differently for this purpose?
>   That should work.
Thanks for that indication Alan.

-- Mathieu

More information about the Freeradius-Users mailing list