WG: Problem conversion of User-Name

Kenneth Grady klg at lanl.gov
Thu Oct 13 16:20:21 CEST 2005 

in your /etc/krb5.conf do you have
...
[realms]
	apfelbaum.de ={
		kdc = kerberos...


On Thu, 2005-10-13 at 07:58, marcus.koestler at polizei.bayern.de wrote:
> > Hello,
> > 
> > I have a Problem after converting a User-Name of the Form 27180769 to
> > 27180769 at apfelbaum.de. 
> > 
> > After radius-server authorized the request i want to convert my user to an
> > @-Form to pass it to the rlm_krb5-module for authentication, because we
> > have different Kerberos-Realms and the Name 27180769 is probably not
> > enough to pick the right Kerberos-Server from krb5.conf.
> > 
> > For this shake my external Programm gives back a value Pair in the Form
> > "User-Name := 27180769 at apfelbaum.de", after I feed it with the LDAP-DN
> > from the LDAP-request, to pick the right realm.
> > 
> > It seems that the memory allocated for User-Name is not reallocated, so
> > vals of other vars were overwritten after the program returns. 
> > 
> > here is my debug-output from radiusd -s -xx:
> > 
> > Exec-Program: /usr/local/bin/convert.php
> > CN=27180769,CN=Users,DC=apfelbaum,DC=de
> > Exec-Program output: User-Name := 27180769 at APFELBAUM.DE
> > Exec-Program-Wait: value-pairs: User-Name := 27180769 at APFELBAUM.DE
> > Exec-Program: returned: 0
> >   modcall[authorize]: module "convert_name" returns ok for request 0
> > rlm_ldap: Entering ldap_groupcmp()
> > radius_xlat:  'dc=apfelbaum,dc=de'
> > radius_xlat:
> > '(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> > &(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> > elbaum,DC=de)))'
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> > with filter
> > (|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> > (objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> > lbaum,DC=de)))
> > rlm_ldap::ldap_groupcmp: User found in group
> > cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> > rlm_ldap: ldap_release_conn: Release Id: 0
> >     users: Matched entry DEFAULT at line 219
> > radius_xlat:  'number=08912124447 direction=outgoing'
> >   modcall[authorize]: module "files" returns ok for request 0
> > modcall: group authorize returns ok for request 0
> >   rad_check_password:  Found Auth-Type Kerberos
> > auth: type "Kerberos"
> >   Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 0
> > rlm_krb5:
> > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> > de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> > requested realm
> >   modcall[authenticate]: module "krb5" returns reject for request 0
> > modcall: group authenticate returns reject for request 0
> > auth: Failed to validate the user.
> > Login incorrect:
> > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
> > client localhost port 0)
> > 
> > 
> > a snap from radiusd.conf:
> > 
> > 
> >  exec convert_name {
> >         wait=yes
> >         program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
> >         input_pairs = request
> >         output_pairs = request
> >         }
> > 
> > authorize {
> > ldap {
> >         notfound = return
> >         }
> >         convert_name
> >          files
> > }
> > 
> > my users-file:
> > 
> > DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> >         DIALT := "number=%{reply:DIALT} direction=outgoing",
> >         PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
> >         Idle-Timeout = 900,
> >         Framed-Protocol = PPP,
> >         User-Service := 2,
> >         Fall-Through = 0,
> >         Framed-Netmask := 255.255.255.255
> > 
> > DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> >         DIALT := "number=%{reply:DIALT} direction=outgoing",
> >         PPPT := "callback=ppp_offered blocktime=3",
> >         Idle-Timeout = 900,
> >         Framed-Protocol = PPP,
> >         User-Service := 2,
> >         Fall-Through = 0,
> >         Framed-Netmask := 255.255.255.255
> > 
> > 
> > DEFAULT Auth-Type := Reject
> >         Reply-Message = "Your account has been disabled."
> > 
> > 
> > greetings
> > Marcus Koestler
> > Bayerisches Landeskriminalamt
> > SG 343, Netztechnik
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list