[GH-ISSUE #22] Help with sAMAccountName #16

New issue

Open

opened 2026-03-13 14:31:34 +03:00 by kerem · 8 comments

kerem commented 2026-03-13 14:31:34 +03:00

Owner

Copy link

Originally created by @Zamana on GitHub (Sep 19, 2025).
Original GitHub issue: https://github.com/abbas-gheydi/radotp/issues/22

Hi!

We enabled ForceSearchForSamAccountName = true because our users log in our VPN with "user.name" and not "user.name@company.com".

Unfortunately this is not working. We always receive Access-Reject at the active directory stage.

The only way to make radotp works is by using ForceSearchForSamAccountName = false, but this implies that our users need to login by using "user.name@company.com" as username, what we don't want.

Is it possible to identify the cause of this issue? Is there a "debug" mode that we can use?

Thanks.
Regards.

Originally created by @Zamana on GitHub (Sep 19, 2025). Original GitHub issue: https://github.com/abbas-gheydi/radotp/issues/22 Hi! We enabled `ForceSearchForSamAccountName = true` because our users log in our VPN with "user.name" and not "user.name@company.com". Unfortunately this is not working. We always receive Access-Reject at the active directory stage. The only way to make radotp works is by using `ForceSearchForSamAccountName = false`, but this implies that our users need to login by using "user.name@company.com" as username, what we don't want. Is it possible to identify the cause of this issue? Is there a "debug" mode that we can use? Thanks. Regards.

kerem commented 2026-03-13 14:31:41 +03:00

Author

Owner

Copy link

@abbas-gheydi commented on GitHub (Sep 20, 2025):

Hi there,

radotp can automatically handle three types of username formats:

· user
· user@domain
· domain\user

This is a default feature and doesn't need any configuration to enable it.

Have you tried it with the default settings?

<!-- gh-comment-id:3314472263 --> @abbas-gheydi commented on GitHub (Sep 20, 2025): Hi there, radotp can automatically handle three types of username formats: · user · user@domain · domain\user This is a default feature and doesn't need any configuration to enable it. Have you tried it with the default settings?

kerem commented 2026-03-13 14:31:46 +03:00

Author

Owner

Copy link

@Zamana commented on GitHub (Sep 22, 2025):

Hi!

Thanks for replying.

I guess, yes, we are using pretty much the default configuration. But it would be nice if you could validate it for us:

[radius]
        ListenAddress = "0.0.0.0:1812"
        Secret = "secret"
        Authentication_Mode = "two_fa_optional_otp"
        Enable_Fortinet_Group_Name = false
        EnableMessageAuthenticator = false
[web]
        ListenHTTP = "0.0.0.0:8080"
        Isuuer = "VPN"
        EnableRestApi = true
        Apikey = "apikey"
[database]
        server = "db"
        port = "5432"
        username = "postgres"
        password = "postgres"
        dbname = "postgres"
        sslmode = "disable"
        timezone = "America/Sao_Paulo"
        MaxOpenConns = 20
        MaxIdleConns = 20
        ConnMaxLifetimeInMiuntes = 5
[ldap]
        ldapServers = [ "172.16.128.2" , "172.16.128.3"]
        basedn = "DC=company,DC=com"
        port = 389
        security = 0
        ForceSearchForSamAccountName = false
[metrics]
        Listen = "0.0.0.0:2111"
        EnablePrometheusExporter = true
        PromethuesAddress = "http://prometheus:9090"

Thanks.
Regards.

<!-- gh-comment-id:3318645606 --> @Zamana commented on GitHub (Sep 22, 2025): Hi! Thanks for replying. I guess, yes, we are using pretty much the default configuration. But it would be nice if you could validate it for us: ``` [radius] ListenAddress = "0.0.0.0:1812" Secret = "secret" Authentication_Mode = "two_fa_optional_otp" Enable_Fortinet_Group_Name = false EnableMessageAuthenticator = false [web] ListenHTTP = "0.0.0.0:8080" Isuuer = "VPN" EnableRestApi = true Apikey = "apikey" [database] server = "db" port = "5432" username = "postgres" password = "postgres" dbname = "postgres" sslmode = "disable" timezone = "America/Sao_Paulo" MaxOpenConns = 20 MaxIdleConns = 20 ConnMaxLifetimeInMiuntes = 5 [ldap] ldapServers = [ "172.16.128.2" , "172.16.128.3"] basedn = "DC=company,DC=com" port = 389 security = 0 ForceSearchForSamAccountName = false [metrics] Listen = "0.0.0.0:2111" EnablePrometheusExporter = true PromethuesAddress = "http://prometheus:9090" ``` Thanks. Regards.

kerem commented 2026-03-13 14:31:51 +03:00

Author

Owner

Copy link

@abbas-gheydi commented on GitHub (Sep 22, 2025):

Are you using Microsoft Active Directory or a different LDAP server?

<!-- gh-comment-id:3318828795 --> @abbas-gheydi commented on GitHub (Sep 22, 2025): Are you using Microsoft Active Directory or a different LDAP server?

kerem commented 2026-03-13 14:31:56 +03:00

Author

Owner

Copy link

@Zamana commented on GitHub (Sep 22, 2025):

We are using Microsoft Active Directory, and our VPN/Firewall server is Hillstone (if that matters).

<!-- gh-comment-id:3319265668 --> @Zamana commented on GitHub (Sep 22, 2025): We are using Microsoft Active Directory, and our VPN/Firewall server is [Hillstone](https://www.hillstonenet.com/) (if that matters).

kerem commented 2026-03-13 14:32:01 +03:00

Author

Owner

Copy link

@abbas-gheydi commented on GitHub (Sep 22, 2025):

Could you please try this configuration: set
EnableMessageAuthenticator = True

<!-- gh-comment-id:3319951452 --> @abbas-gheydi commented on GitHub (Sep 22, 2025): Could you please try this configuration: set EnableMessageAuthenticator = True

kerem commented 2026-03-13 14:32:06 +03:00

Author

Owner

Copy link

@Zamana commented on GitHub (Sep 22, 2025):

Sure.

With:

EnableMessageAuthenticator = True
(...)
ForceSearchForSamAccountName = true

here are the results:

<!-- gh-comment-id:3319979882 --> @Zamana commented on GitHub (Sep 22, 2025): Sure. With: ``` EnableMessageAuthenticator = True (...) ForceSearchForSamAccountName = true ``` here are the results: <img width="971" height="314" alt="Image" src="https://github.com/user-attachments/assets/e355ff43-c058-41cb-b673-56d2176ac6a1" /> <img width="841" height="166" alt="Image" src="https://github.com/user-attachments/assets/7fe87246-7a22-44f7-9382-9c643cbf19ba" />

kerem commented 2026-03-13 14:32:11 +03:00

Author

Owner

Copy link

@abbas-gheydi commented on GitHub (Sep 22, 2025):

I wanted to clarify that the ForceSearchForSamAccountName setting was added to fix issue #9 . To help us debug further, I'll be adding a debugging mode option and will let you know as soon as it's ready.

<!-- gh-comment-id:3320033192 --> @abbas-gheydi commented on GitHub (Sep 22, 2025): I wanted to clarify that the ForceSearchForSamAccountName setting was added to fix issue #9 . To help us debug further, I'll be adding a debugging mode option and will let you know as soon as it's ready.

kerem commented 2026-03-13 14:32:16 +03:00

Author

Owner

Copy link

@zamana-7comm commented on GitHub (Oct 24, 2025):

Hi!

Any news on this?

Thanks.

<!-- gh-comment-id:3445078217 --> @zamana-7comm commented on GitHub (Oct 24, 2025): Hi! Any news on this? Thanks.

kerem referenced this issue 2026-03-13 14:32:39 +03:00

[PR #16] [CLOSED] Fix Go build pipeline issues: Dockerfile & go.mod cleanup #21

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v2.4.0

v2.3.0

v2.2.0

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.0.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/radotp#16

No description provided.