Could'nt authenticate windows host account with freeradius + ldap backend + samba domain controller

david.barbion at adeoservices.com david.barbion at adeoservices.com
Mon Dec 17 09:44:17 CET 2007


Alan DeKok a écrit :

Thanks for your answers.
> david.barbion at adeoservices.com wrote:
>   
>> Hello,
>> The problem is when a computer tries to authenticate, the User-Name sent
>> is "host//computername/", but in ldap we have entrie like
>> /computername/$. So we have some attr_rewrite that removes host/ and
>> adds the dollar sign.
>>     
>
>   Why?  You can just create a *new* attribute, Stripped-User-Name, with
> the updated contents.  Then, configure the ldap module to look first for
> Stripped-User-Name, and then User-Name:
>
>   foo = "... %{Stripper-User-Name:%{User-Name}} ..."
>
>   See doc/variables.txt
>
>   
In the radiusd.conf config file, the %{Stripped-User-Name} is correctly 
created from %{User-Name}.
%{User-Name} looks like "host/computername" and is not modified,
%{Stripped-User-Name} looks like "computername$"

In the ldap module, it is %{Stripped-User-Name} that is used.
>> rlm_ldap finds correctly the entry, but EAP
>> complains about the user name change: "*rlm_eap: Identity does not match
>> User-Name, setting from EAP Identity.**
>>  rlm_eap: Failed in handler"
>>     
>
>   Then... don't edit the User-Name.  There's no need to edit it.
>
>   Alan DeKok.
>   
I have made some tests with and without the %{User-Name} change, but 
nothing helps

I have another question: How does the EAP/MSCHAPV2 authentication work ? 
which username/password couples does it take ? and with which database 
does it compare to ?

Regards
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   


Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services.



More information about the Freeradius-Users mailing list