LDAP AD and SAMCompatibleName
Dave Funk
dbfunk at engineering.uiowa.edu
Mon Mar 18 13:45:57 UTC 2024
On Mon, 18 Mar 2024, Andrei Katsuk wrote:
> Hello,
> I use rlm_ldap to authenticate users in the AD directory.
> Part of my ldap config:
>
> identity = cn=admin,cn=users,dc=example,dc=com
> base_dn = cn=users,dc=example,dc=com
>
> filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> So I can use upn form for authentication, for example
> echo "User-Name=user at example.com,User-Password=password" | radclient
> localhost:1812 auth testing123 -x
>
> Is it possible for rlm_ldap to use not only upn form, but also
> SAMCompatibleName form like
> echo "User-Name=REALM\user,User-Password=password" | radclient
> localhost:1812 auth testing123 -x ?
>
> Thanks,
> Andrei
Are you sure about that 'SAMCompatibleName' attribute name? Our AD forest only
has 'sAMAccountName' and it doesn't contain the "REALM\" part of the value only
"sAMAccountName=user".
Be that as it may, the way to do that is to augment your search filter using
LDAP syntax:
filter =
"(|(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
Adjust that 'sAMAccountName' attribute name to meet your needs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the Freeradius-Users
mailing list