On 02/03/11 14:43, McNutt, Justin M. wrote:
So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases.
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can "set", so you'll need to use another attribute (see my other email)
Depending upon how this is implemented - what I'm about to say may not be necessary - I'd like to see a flag for the mschap module that choose between the "NT-style domain guessing" (which results in "col" in this case) and "DNS-style domain guessing" (which would take everything after the first dot as the domain. I think that might result in a cleaner solution in the long term. I think it should be a flag - set to the current "NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed. What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work either if you have a disjoint DNS/AD namespace. In that case, sites are going to have to use locally-defined rules.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
