Il 12/02/2012 23:54, McNutt, Justin M. ha scritto:
I'm not sure why, then, but it actually does work. We have shown that with
the client configured to use u...@e.mail.address (where e.mail.address is
NOT the same as the AD domain), if I have FR look for 'e.mail.address' and
translate it to
@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Re: Multi-domain AD and Users Who Aren't So Bright
On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's
-users@lists.freeradius.org
Subject: Re: Multi-domain AD and Users Who Aren't So Bright
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
ridiculously large number of phone calls to our Help Desk demonstrate
this, not to mention the Login incorrect messages from FR. (I
built all of my fix it stanzas
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct DOM\user
format.
Or make 'em
Hi,
On Fri, Feb 03, 2012 at 08:22:38AM +0100, NdK wrote:
Il 02/02/2012 21:59, Matthew Newton ha scritto:
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just
On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
Il 03/02/2012 12:51, Matthew Newton ha scritto:
Apologies - I meant that finding the answer to your 'trick' is not
a FreeRADIUS thing. It's a directory lookup, or identity
management type issue.
There must be a misunderstanding. I'm not asking advice about the query
itself (that would be OT
On 02/03/2012 04:56 PM, NdK wrote:
There must be a misunderstanding. I'm not asking advice about the query
itself (that would be OT here).*Given* that the query should (and that
'should' is not FR-related) return a 4-rows answer that I must translate
to a single row, how do I translate it to a
Il 03/02/2012 13:48, Phil Mayers ha scritto:
This doesn't work, unless username == email local part.
*or* win uses the username to calculate the response. Since users *can*
actually log in to their accounts using their mail address... Maybe win
caches (or looks up) the real username?
Exactly.
On 02/03/2012 05:23 PM, NdK wrote:
*or* win uses the username to calculate the response. Since users *can*
actually log in to their accounts using their mail address... Maybe win
caches (or looks up) the real username?
Sure. If the client uses the right values as input to the crypto hash,
Il 03/02/2012 18:57, Phil Mayers ha scritto:
FreeRADIUS is a bit complex in this area, because of the age of the code
involved. But basically:
1. with_ntdomain_hack = yes on the mschap module strips leading DOMAIN\
So it's not an hack. It's follow_mschap_specs :)
2. Otherwise, you have to
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users
Il 01/02/2012 22:57, McNutt, Justin M. ha scritto:
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
Done nearly the same
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
We just finished a many-year span trying to get users to understand
and use DOM\user. They don't get it, at least not consistently. A
Not unreasonably. It's a failure of the IT Industry to solve
credentials. Most attention gets paid to
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your
On Thu, Feb 02, 2012 at 06:33:19PM +0100, NdK wrote:
I'm trying (with no luck :( ) to use
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test --
Il 02/02/2012 21:59, Matthew Newton ha scritto:
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).
Have you tried
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
WARNING: This may well be a case of doing it the hard way. If that's the
18 matches
Mail list logo