Stripping domain from username
Nicholas Hall
ngharo at gmail.com
Tue Aug 7 22:14:26 CEST 2007
Hello all. I know this subject has came up many times on this list before
but I'm still having problems.
According to what I've read the HINTS file is the best place to do this.
Here is relevant portions of my config running CVS from 2007-08-01. It's my
understanding that with Strip-User-Name = Yes, FreeRADIUS will rewrite the
User-Name attribute without the domain specified. Any tips would be greatly
appreciated.
HINTS
----------------------------------------------------------------------------------------
DEFAULT Suffix == "@alexssa.net", Strip-User-Name = Yes
radiusd.conf
----------------------------------------------------------------------------------------
preprocess {
hints = ${confdir}/hints
}
Below is debug output
----------------------------------------------------------------------------------------
FreeRADIUS Version 2.0.0-pre2, for host i686-pc-linux-gnu, built on Aug 1
2007 at 10:03:50
Copyright (C) 2000-2007 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Config: including file: /usr/local/etc/raddb/radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Config: including file: /usr/local/etc/raddb/sql/mysql/dialup.conf
Config: including files in directory: /usr/local/etc/raddb/sites-enabled/
Config: including file: /usr/local/etc/raddb/sites-enabled/default
Starting - reading configuration files ...
read_config_files: reading dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = "/usr/local/var/log/radius/radius.log"
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
user = "nobody"
group = "nogroup"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
syslog_facility = "daemon"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
listen {
type = "auth"
ipaddr = *
port = 1812
client 127.0.0.1 {
secret = "test"
shortname = "localhost"
nastype = "other"
}
client 38.119.184.54 {
secret = "xxxx"
shortname = "openvpn"
nastype = "other"
}
client 38.119.184.74 {
secret = "xxx"
shortname = "totalcontrol"
nastype = "usrhiper"
}
client 38.119.184.4 {
secret = "xxxx"
shortname = "arc0"
nastype = "usrhiper"
}
client 38.119.188.211 {
secret = "xxxx"
shortname = "igateway.hnet.net"
nastype = "cisco"
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
}
radiusd: entering modules setup
radiusd: Library search path is /usr/local/lib
modules: Not loading pre-proxy{} section
modules: Not loading post-proxy{} section
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
compat = "no"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap01.alexssa.net
ldap ldap01.alexssa.net {
server = "ldap02.alexssa.net"
port = 389
password = "xxxxxx"
identity = "cn=root,dc=alexssa,dc=net"
net_timeout = 1
timeout = 5
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "ou=users,ou=radius,dc=alexssa,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = yes
access_attr_used_for_allow = yes
groupname_attribute = "radiusGroupName"
groupmembership_filter =
"(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile)"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = no
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap01.alexssa.net-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap01.alexssa.net-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap01.alexssa.net
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusIPPool mapped to RADIUS Pool-Name
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x801188f0
Module: Instantiating ldap02.alexssa.net
ldap ldap02.alexssa.net {
server = "ldap02.alexssa.net"
port = 389
password = "xxxxx"
identity = "cn=root,dc=alexssa,dc=net"
net_timeout = 1
timeout = 5
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "ou=users,ou=radius,dc=alexssa,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = yes
access_attr_used_for_allow = yes
groupname_attribute = "radiusGroupName"
groupmembership_filter =
"(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile)"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = no
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ldap02.alexssa.net-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ldap02.alexssa.net-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap02.alexssa.net
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusIPPool mapped to RADIUS Pool-Name
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x80119c98
Module: Linked to module rlm_counter
Module: Instantiating daily
counter daily {
filename = "/usr/local/etc/raddb/db.daily"
key = "User-Name"
reset = "daily"
count-attribute = "Acct-Session-Time"
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
allowed-servicetype = "Framed-User"
cache-size = 5000
}
rlm_counter: Counter attribute Daily-Session-Time is number 11275
rlm_counter: Current Time: 1186499334 [2007-08-07 10:08:54], Next reset
1186549200 [2007-08-08 00:00:00]
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating acctdetail
detail acctdetail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_ippool
Module: Instantiating dialup
ippool dialup {
session-db = "/usr/local/etc/raddb/dialup.ippool"
ip-index = "/usr/local/etc/raddb/dialup.ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 38.119.191.1 IP address [38.119.191.1]
range-stop = 38.119.191.254 IP address [38.119.191.254]
netmask = 255.255.255.255 IP address [255.255.255.255]
cache-size = 253
override = no
maximum-timeout = 0
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
Initializing the thread pool...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1 port 1027, id=101,
length=83
User-Name = "atvcrew at alexssa.net"
User-Password = "polaris"
Service-Type = Framed-User
NAS-Port = 2067
NAS-IP-Address = 127.0.0.1
NAS-Port-Type = Async
+- entering group authorize
++[preprocess] returns ok
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20070807
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20070807
expand: %t -> Tue Aug 7 10:10:30 2007
++[auth_log] returns ok
++[chap] returns noop
rlm_ldap: Entering ldap_groupcmp()
expand: ou=users,ou=radius,dc=alexssa,dc=net ->
ou=users,ou=radius,dc=alexssa,dc=net
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> atvcrew at alexssa.net
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=
atvcrew at alexssa.net)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap02.alexssa.net:389, authentication 0
rlm_ldap: bind as cn=root,dc=alexssa,dc=net/62b879A to
ldap02.alexssa.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with
filter (uid=atvcrew at alexssa.net)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
expand: ou=users,ou=radius,dc=alexssa,dc=net ->
ou=users,ou=radius,dc=alexssa,dc=net
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> atvcrew at alexssa.net
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=
atvcrew at alexssa.net)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with
filter (uid=atvcrew at alexssa.net)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 16
++[files] returns ok
++- entering redundant-load-balance group
rlm_ldap: - authorize
rlm_ldap: performing user authorization for atvcrew at alexssa.net
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> atvcrew at alexssa.net
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=
atvcrew at alexssa.net)
expand: ou=users,ou=radius,dc=alexssa,dc=net ->
ou=users,ou=radius,dc=alexssa,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,ou=radius,dc=alexssa,dc=net, with
filter (uid=atvcrew at alexssa.net)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap02.alexssa.net] returns notfound
++- redundant-load-balance group returns notfound
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [atvcrew at alexssa.net/polaris]
(from client localhost port 2067)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> atvcrew at alexssa.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Sending delayed reject for request 0
Sending Access-Reject of id 101 to 127.0.0.1 port 1027
Reply-Message = "Please call the helpdesk."
Waking up in 4 seconds...
Cleaning up request 0 ID 101 with timestamp +95
Nothing to do. Sleeping until we see a request.
--
Nicholas Hall
ngharo at gmail.com
262.208.6271
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070807/bca79840/attachment.html>
More information about the Freeradius-Users
mailing list