LDAP and realms
Corey Burks
cburks at zhone.com
Fri May 19 08:01:53 CEST 2006
We have 2 clients authenticating user one passes simply the uid (cburks) and
users authenticate properly.
The other client is passing username and realm (cburks at zhone.com), which
fails. I have configured zhone.com realm in the proxy.conf file like this:
realm zhone.com {
type = radius
authhost = LOCAL
accthost = LOCAL
}
Radiusd.conf file has the following in the ldap section.
filter = "(uid=%u)" Which works for username only and username + realm does
not work
if I switch to:
filter = "(uid=%{Stripped-User-Name})" username + realm works and username
alone fails.
Is there a way different way to strip off the realm, so I can have both ways
working?
Thanks
Corey
When I run radiusd in debug I see that the realm is getting stripped but the
username and relam are still being passed to LDAP.
Debug output:
rad_recv: Access-Request packet from host 172.16.15.251:2502, id=20,
length=80
User-Name = "cburks at zhone.com"
User-Password = "password"
Vendor-3076-Attr-32 = 0x00000004
NAS-IP-Address = 172.16.15.251
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "zhone.com" for User-Name =
"cburks at zhone.com"
rlm_realm: Found realm "zhone.com"
rlm_realm: Adding Stripped-User-Name = "cburks"
rlm_realm: Proxying request from user cburks to realm zhone.com
rlm_realm: Adding Realm = "zhone.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 270
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for cburks
radius_xlat: '(uid=cburks at zhone.com)'
radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to newldap.oak.zhone.com:389, authentication 0
rlm_ldap: bind as uid=radius,o=oak.zhone.com,o=zhone.com/password to newlda
p.oak.zhone.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with
filte
r (uid=cburks at zhone.com)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "cburks" with password "password"
radius_xlat: '(uid=cburks at zhone.com)'
radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with
filte
r (uid=cburks at zhone.com)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: leaving group LDAP (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [cburks at zhone.com/password]
(from cl
ient zw2-vpn1 port 0)
Delaying request 0 for 1 seconds
Finished request 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060518/26ef7d4d/attachment.html>
More information about the Freeradius-Users
mailing list