On 01/25/2012 02:30 PM, NdK wrote:
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
"translate" the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate [email protected] or
user.name@PERSONALE . It returns "no such user". It authenticates
PERSONALE\user.name . Or "--username=user.name --domain=PERSONALE".
So don't pass that in.
That's not FR-related. It's something in Win/AD, so I think there's
nothing doable from FR to "fix" it.
Not so. You can configure FreeRADIUS to pass correct data.
There are many ways to do this. The "simplest" is something like follows:
modules/mschap:
...
ntlm_auth = ".. \
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
--nt-domain=YOUR-DOMAIN"
sites-enabled/whatever:
authorize {
...
ntdomain
suffix
mschap
...
}
...and define the realms in your proxy.conf file.
This solution basically uses the "realm" module to strip the DOMAIN\user
and [email protected] into "user" and "DOMAIN / domain.com". You then
ignore the realm in your ntlm_auth line - just hard-code it.
If you can't ignore the realm, you can do something like:
modules/mschap:
...
ntlm_auth = ".. \
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
--nt-domain=%{%{Realm}:-DEFAULT}"
sites-enabled/whatever:
authorize {
...
suffix
ntdomain
# check and maybe re-write the realm
if (Realm) {
switch "%{Realm}" {
case "SHORT" {
# nothing to do, leave along
}
case "LONG.FORM" {
update request {
Realm := "SHORT"
}
}
case {
# unknown realm
reject
}
}
}
mschap
}
Alternatively you can process the realm yourself using regexps. This
gives you a bit more control. For example:
authorize {
if (User-Name =~ /^SHORT\(.+)$/) {
update request {
Realm := SHORT
Stripped-User-Name := "%{1}"
}
}
elsif (User-Name =~ /^(.+)@long.com/i) {
update request {
Realm := SHORT
Stripped-User-Name := "%{1}"
}
}
...
}
...and so on.
Basically, YOU control what data is passed to ntlm_auth, and FreeRADIUS
provides several methods to control this.
All you need to do is:
1. Write down a list of which formats you want to allow
2. Write a FreeRADIUS config that allows those formats, and passes the
correct data into ntlm_auth
If you need more specific help, just ask. But please try to read the
docs for "man unlang" and the many, many examples in the default configs
and in the list archives.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
