LDAP AD and SAMCompatibleName

[Matthew Newton]

On 26/03/2024 10:48, Alan DeKok wrote:
> On Mar 26, 2024, at 1:48 AM, Andrei Katsuk <steep8 at gmail.com> wrote:
>> When realm is defined as realm EXAMPLE it grants access for
>> EXAMPLE\bob and bob at EXAMPLE.
> 
>    Yes, I know...

The "filter_username" policy (in the default config) already stops 
bob at EXAMPLE. It's invalid because it doesn't have a "." in the realm.

Which just leaves EXAMPLE\bob, bob at example.com and example.com\bob

To stop the latter, just use unlang.


   filter_username
...
   suffix
   ntdomain
   if (ok && &Realm =~ /\./) {
     reject
   }

I agree, for the number of people actually discovering that it works and 
then getting excited because they can do something different from 
everyone else that gives them no extra benefits, it's probably not worth 
the CPU cycles.

-- 
Matthew