ldap group membership check issue

Alan DeKok aland at deployingradius.com
Fri Oct 27 12:58:37 CEST 2017

On Oct 27, 2017, at 6:03 AM, Евгений Подберезкин <epodber at gmail.com> wrote:
> I'm trying to check a group of user in Active directory (Win2008) using
> rlm_ldap. While we have several domains in transitive relations, I should
> send username with domain part. When domain name is a suffix (
> epodberezkin at chtpz.ru), it is working, prefix - not (when windows uses
> login username and domain automatically - f.e. CHTPZ0\epodberezkin)

  You need to configure the ntdomain module.  See raddb/sites-enabled/default, and look for "ntdomain".  And see raddb/mods-available/realm.  Also look for "ntdomain"

> Output of radiusd -X shows, that "DOMAIN\" part is not removed, so
> sAMAccountname is incorrect

  That's "radiusd -Xxx".  PLEASE follow instructions and just use "radiusd -X".  Honestly, I now have to say this DAILY on the list.  What's going on, people?

  On top of that, it's only a tiny portion of the debug output.

> How can I fix this??

  Configure CHTPZ0 as a realm.  And do ntdomain checking.

  Again, if you follow instructions, run "radiusd -X", and *read the output", you would see it finding the "chtpz.ru" realm, and stripping it.  That should be a strong hint that you probably also need to configure a CHTPZ0 domain, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list