Matching loginname-attribute in LDAP resolver

maybe i’m on a wrong way but I need a little help:
its necessary to have the split-at-@-sign to enable logins to different realms. I also need to have realms to login with the email-address via freeradius for VPN. I made some unlang-code to fill the radius-realm with the right value and pass it to PI but PI is unable to match the stripped username to a full email-address.

I tried to match it with mailnickname, but in these ActiveDirectories it is not always filled the right way.
Is there a way to do some sort of wildcard-matching with loginname?

Matching users and realms can get really complicated.
This is fine, because sometimes some scenarios are complicated.

Note, that the REST API of privacyIDEA accepts a parameter “user(name)” and “realm”.

The splitAtSign only allows the paramter “user” to contain a realm.

Here is a detailed writeup of the behaviour:

So you could login with a user “user@maildomain” in the default realm “realm1”.

But you could also login with a user “user@maildomain@realm2” in another, non-default realm.

You login attribute in AD can be “emailAddress”. And thus a user could login with his email address in a default realm.

How do you have your LDAP Loginname attribute configured? Whatever attribute(s) you put into this box are values that will be accepted as a login name. If you are using Active Directory, the mail attribute should contain the email address of the user. You shouldn’t need additional code to manipulate the incoming auth request.

Thanks Cornelius,
via unlang/freeradius I add the realm after a second @-sign to the email and it works perfectly!!

1 Like