It appears that when Windows sends the username it sends it as DOMAIN\\username.
The \\ causes the 5c to appear in the username. I confirmed this by using the radtest tool and specifying the username as DOMAIN\\username. A single \ causes the username to appear as DOMAINusername so that is why double \\ are required. Thanks On Wed, Jan 9, 2013 at 12:18 PM, Matthew Ceroni <matthewcer...@gmail.com>wrote: > Phil: > > Thanks for the response. My understanding of what was happening with LDAP > was actually incorrect. I thought it was binding as the admin DN I provided > and then re-binding as the user that is trying to authenticate. The message > returned was "No known good password found for user". Which is just a > WARNING and caused because AD doesn't return the password when querying via > LDAP. So no big deal. It was actually doing what I wanted. > > Until things got a little strange. > > [ldap] performing user authorization for DOMAIN\usrtest > [ldap] expand: %{Stripped-User-Name} -> > [ldap] ... expanding second conditional > [ldap] expand: %{User-Name} -> DOMAIN\5cusrtest > [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> > (samAccountName=DOMAIN\5cusrtest) > [ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN > OU,dc=domain,dc=local > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter > (samAccountName=DOMAIN\5cusrtest) > [ldap] object not found > [ldap] search failed > > As you can see it says performing authorization for DOMAIN\usrtest but > then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c > comes from I have no idea. Any thoughts? > > > On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote: > >> On 01/09/2013 12:43 AM, Matthew Ceroni wrote: >> >>> Hi: >>> >>> I am running FreeRadius version 2.1.12 on a CentOS 6 machine. >>> >>> For authentication I am using AD (ntlm_auth) and this works create. In >>> the the request the username is sent as just the plain username (ie: >>> mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine. >>> >>> My problem is on the authorization side in which I am using LDAP to grab >>> the groups a user is in. In order to authentication against ldap my bind >>> DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I >>> modify the User-Name or Stripped user name just for the LDAP >>> >> >> Don't modify the "User-Name" attribute; that can break certain auth types. >> >> It's not really clear what you want to do, but you can either edit the >> LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local >> attribute "Full-User-Name" in raddb/dictionary - see the comments in there >> about attribute numbers - then reference that in your LDAP filters. >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/** >> list/users.html <http://www.freeradius.org/list/users.html> >> > >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html