Username substitution via LDAP call possible?

Matthew Newton mcn at
Tue Sep 4 19:30:53 CEST 2018

On Tue, 2018-09-04 at 16:31 +0000, Pedranti, Brian wrote:
> I would like to use Freeradius as a RADIUS proxy. I need a layer
> between our VMWare Horizon View system and Duo for 2-factor.
> Unfortunately, our users login with their UPN, which is not kept on
> our Duo instance. We also cannot use aliasing in the Duo system.
> So, we need it to take in an UPN (always an email address), and
> perform a LDAP lookup and then pass the users' CN or samAccountName
> on to our Duo authproxy RADIUS module.
> The server can run on Linux or Windows.
> Am I dreaming? Is this remotely doable? :)

If you're doing EAP, then probably not; you generally can't change the
user name without things breaking.

If not, then it's possibly OK.

Configure rlm_ldap to look up the user, and then use unlang to update
the User-Name attribute to the data returned in the appropriate LDAP

Then proxy as usual.

I've never used Horizon View or Duo, so no idea if it will actually
work with them, though...


More information about the Freeradius-Users mailing list