WG: Problem conversion of User-Name

marcus.koestler at polizei.bayern.de marcus.koestler at polizei.bayern.de
Thu Oct 13 15:58:23 CEST 2005



> Hello,
> 
> I have a Problem after converting a User-Name of the Form 27180769 to
> 27180769 at apfelbaum.de. 
> 
> After radius-server authorized the request i want to convert my user to an
> @-Form to pass it to the rlm_krb5-module for authentication, because we
> have different Kerberos-Realms and the Name 27180769 is probably not
> enough to pick the right Kerberos-Server from krb5.conf.
> 
> For this shake my external Programm gives back a value Pair in the Form
> "User-Name := 27180769 at apfelbaum.de", after I feed it with the LDAP-DN
> from the LDAP-request, to pick the right realm.
> 
> It seems that the memory allocated for User-Name is not reallocated, so
> vals of other vars were overwritten after the program returns. 
> 
> here is my debug-output from radiusd -s -xx:
> 
> Exec-Program: /usr/local/bin/convert.php
> CN=27180769,CN=Users,DC=apfelbaum,DC=de
> Exec-Program output: User-Name := 27180769 at APFELBAUM.DE
> Exec-Program-Wait: value-pairs: User-Name := 27180769 at APFELBAUM.DE
> Exec-Program: returned: 0
>   modcall[authorize]: module "convert_name" returns ok for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=apfelbaum,dc=de'
> radius_xlat:
> '(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> &(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> elbaum,DC=de)))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> with filter
> (|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> (objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> lbaum,DC=de)))
> rlm_ldap::ldap_groupcmp: User found in group
> cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 219
> radius_xlat:  'number=08912124447 direction=outgoing'
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type Kerberos
> auth: type "Kerberos"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_krb5:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> requested realm
>   modcall[authenticate]: module "krb5" returns reject for request 0
> modcall: group authenticate returns reject for request 0
> auth: Failed to validate the user.
> Login incorrect:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
> client localhost port 0)
> 
> 
> a snap from radiusd.conf:
> 
> 
>  exec convert_name {
>         wait=yes
>         program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
>         input_pairs = request
>         output_pairs = request
>         }
> 
> authorize {
> ldap {
>         notfound = return
>         }
>         convert_name
>          files
> }
> 
> my users-file:
> 
> DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
>         DIALT := "number=%{reply:DIALT} direction=outgoing",
>         PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
>         Idle-Timeout = 900,
>         Framed-Protocol = PPP,
>         User-Service := 2,
>         Fall-Through = 0,
>         Framed-Netmask := 255.255.255.255
> 
> DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
>         DIALT := "number=%{reply:DIALT} direction=outgoing",
>         PPPT := "callback=ppp_offered blocktime=3",
>         Idle-Timeout = 900,
>         Framed-Protocol = PPP,
>         User-Service := 2,
>         Fall-Through = 0,
>         Framed-Netmask := 255.255.255.255
> 
> 
> DEFAULT Auth-Type := Reject
>         Reply-Message = "Your account has been disabled."
> 
> 
> greetings
> Marcus Koestler
> Bayerisches Landeskriminalamt
> SG 343, Netztechnik



More information about the Freeradius-Users mailing list