LDAP AD and SAMCompatibleName
Andrei Katsuk
steep8 at gmail.com
Fri Mar 22 09:04:57 UTC 2024
Currently I want to authenticate users who enter EXAMPLE\bob or bob at example.com.
Also I don't want to grant access to users who enter EXAMPLE.COM\bob
or bob at EXAMPLE.
To do this I defined two realms in proxy.conf:
realm example.com {
}
realm EXAMPLE {
}
and modify server configuration:
suffix
if (ok) {
find_dot_in_realm
if (notfound) {
reject
} else {
update control {
&control:Tmp-String-0 :=
"(userPrincipalName=%{User-Name})"
}
}
}
ntdomain
if (ok) {
find_dot_in_realm
if (ok) {
reject
} else {
update control {
&control:Tmp-String-0 :=
"(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
}
}
}
where find_dot_in_realm defined in policy:
find_dot_in_realm_regexp = "^(.+)\.(.+)$"
find_dot_in_realm {
if (Realm && (Realm =~ /${policy.find_dot_in_realm_regexp}/)){
ok
}
else {
notfound
}
}
and defined filter for rlm_ldap configuration as
filter = &control:Tmp-String-0
Is it the right approach or something can be done in a better or easier way ?
Thanks,
Andrei
More information about the Freeradius-Users
mailing list