Machine Authentication with NTLM followed by LDAP group authorization

Travis Dimmig tdimmig at
Wed Feb 20 23:09:42 CET 2019

Hello list!  Sorry ahead of time for the long explanation:

I'm trying to configure FreeRADIUS to do authentication with the mchap module, then use the LDAP module to authorize the request based on group membership.

I have this working as expected for user authentication, no problem there.  What I'm not sure on is the best way to do it for machine authentications as well.  For the mschap portion, using a username of %{mschap:User-Name} causes the supplied string like "host/" to be changed to "machine$" when invoking the ntlm_auth binary, which makes it match the samAccountName in AD for that computer record.

When setting up the filter for the LDAP search then, is there a standard way to convert the User-Name the same way the mschap module does so I can use the same filter for user authentication and machine authentication (both checking samAccountName)?

The other alternative that I maybe found is that computer records in AD seem to have a "servicePrincipalName" attribute whose value is the whole "host/" string.  I could setup the LDAP filter to match either samAccountName or servicePrincipalName, I just don't know if the latter is something I can guarantee will always work that way that I can rely on (I'm not familiar with that attribute).

Once the first search is done to fetch the DN of the record, the group membership query is working fine for both users and machines, I'm just not sure what is the best way to match the machine name.

Here's some example ldapsearch invocations I was using to try to nail this down:

## Idea one, make a filter that finds either a user or a computer object by updating the filter to check samAccountName or servicePrincipalName

ldapsearch -D 'cn=Administrator,cn=users,dc=company,dc=example,dc=com' -W -p 389 -h [IP] -b "dc=company,dc=example,dc=com" "(|(samAccountName=tdimmig)(servicePrincipalName=tdimmig))"

ldapsearch -D 'cn=Administrator,cn=users,dc=company,dc=example,dc=com' -W -p 389 -h [IP] -b "dc=company,dc=example,dc=com" "(|(samAccountName=host/"

## Idea two, can I normalize the "host/" type of usernames to the "machine$" type to then always query the samAccountName attribute

ldapsearch -D 'cn=Administrator,cn=users,dc=company,dc=example,dc=com' -W -p 389 -h [IP] -b "dc=company,dc=example,dc=com" "(samAccountName=tdimmig)"

ldapsearch -D 'cn=Administrator,cn=users,dc=company,dc=example,dc=com' -W -p 389 -h [IP]-b "dc=company,dc=example,dc=com" "(samAccountName=machine$)"

Travis Dimmig

More information about the Freeradius-Users mailing list