LDAP AD and SAMCompatibleName
Alan DeKok
aland at deployingradius.com
Tue Mar 19 20:51:06 UTC 2024
On Mar 19, 2024, at 1:30 PM, Andrei Katsuk <steep8 at gmail.com> wrote:
> Someone can enter bob at company.com or REALM\bob , where REALM is the
> netbios name of AD server.
> The first format is UserPrincipalName and it can be easily handled by
> setting up a filter in rlm_ldap config
> The second format is SAMCompatibleName and is not handled out-of-the-box.
>
>> If you have e-mails of the form "bob at company.com", is the sAMAccountName for that user always going to be "bob"? Or will it be something else?
>
> It seems sAMAccountName contains only "bob" .
So why not just look up "bob"?
The "realm" module can look up suffixes "bob at example.com", and prefixes "REALM\bob". See mods-available/realm
You can use both realms in sites-available/default:
#
# Look for realms in user at domain format
suffix
# ntdomain
Just uncomment "ntdomain".
Then define two realms in proxy.conf, one for each format:
realm company.com {
}
realm REALM {
}
This tells the "realm" module to allow those two names for realms.
When the server receives a packet, it will run the "default" virtual server, and then both "suffix" and "ntdomain". After those modules have been run, the Stripped-User-Name attribute will always contain the user name ("bob"). And the Realm attribute will always contain either "example.com" or "REALM"
Then configure the LDAP module to look up:
filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name} ...
This is in the default configuration in mods-available/ldap. It's commented out, so just uncomment it, and comment out any other "filter" line.
After that, it should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list