UserPrincipalName with ntlm_auth, trying to get it "right"
Matthew Newton
mcn4 at leicester.ac.uk
Fri Jan 15 12:43:02 CET 2016
On Fri, Jan 15, 2016 at 09:44:15AM +0100, Mathieu Simon (Lists) wrote:
> I see eduroam folks use a username at homeorg.tld format which does look
> like a UPN (maybe on their backend it isnt).
It's an NAI. There's a difference. See RFC 4282.
> I'd also guess that some organizations have Active Directory as
> backend, and I see some also use PEAP-MSCHAPv2 ... thus there
> must be similarities to what I have here.
Yes. sAMAccountname at realm
Though for completeness here our UPN is the same as
sAMAccountName at realm (for one version of "realm" anyway).
> If anyone on this is willing to share how they did it, that would be
> interesting to hear and how (well) it works for them. I hope I could
> then avoid stumbling into a potential pitfall with MSCHAP...
Used sAMAccountName.
I'll spare the list the details of the arguments I've had with
people here on on "it's their e-mail address", "no, it's
username at realm". Aside from when we started to permit people to
have their name as their e-mail address, and suddenly all the
documentation had to be changed because e-mail address no longer
worked for those that changed e-mail address. :-)
But if you try it with UPN and it works reliably then it would be
interesting to know.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list