ldap group membership check issue
aland at deployingradius.com
Fri Oct 27 12:58:37 CEST 2017
On Oct 27, 2017, at 6:03 AM, Евгений Подберезкин <epodber at gmail.com> wrote:
> I'm trying to check a group of user in Active directory (Win2008) using
> rlm_ldap. While we have several domains in transitive relations, I should
> send username with domain part. When domain name is a suffix (
> epodberezkin at chtpz.ru), it is working, prefix - not (when windows uses
> login username and domain automatically - f.e. CHTPZ0\epodberezkin)
You need to configure the ntdomain module. See raddb/sites-enabled/default, and look for "ntdomain". And see raddb/mods-available/realm. Also look for "ntdomain"
> Output of radiusd -X shows, that "DOMAIN\" part is not removed, so
> sAMAccountname is incorrect
That's "radiusd -Xxx". PLEASE follow instructions and just use "radiusd -X". Honestly, I now have to say this DAILY on the list. What's going on, people?
On top of that, it's only a tiny portion of the debug output.
> How can I fix this??
Configure CHTPZ0 as a realm. And do ntdomain checking.
Again, if you follow instructions, run "radiusd -X", and *read the output", you would see it finding the "chtpz.ru" realm, and stripping it. That should be a strong hint that you probably also need to configure a CHTPZ0 domain, too.
More information about the Freeradius-Users