Re: Add $ to end of machine account uid

To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: Add $ to end of machine account uid
From: Cody Jarrett <cody.jarrett@itfreedom.com>
Date: Fri, 06 Jul 2007 12:10:11 -0500
In-reply-to: <20070706144846.GC19106@lboro.ac.uk>
References: <468E54C9.9020208@itfreedom.com> <20070706144846.GC19106@lboro.ac.uk>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
User-agent: Thunderbird 2.0.0.4 (X11/20070620)

I've about got it, but now I am getting an eap error about the username isn't correct.

I added this about preprocess:
attr_rewrite add-dollar-sign {
                attribute = User-Name
                searchfor = "^host/(.*)"
                searchin = packet
                new_attribute = no
                replacewith = "%{1}$"
        }

I've added add-dollar-sign to authorize { section.

rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168
        NAS-IP-Address = 10.1.22.11
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 12
        Framed-MTU = 1400
        User-Name = "host/itf-toshiba-asd"
        Calling-Station-Id = "000e35ff2a82"
        Called-Station-Id = "00186ecfa600"
        NAS-Identifier = "ap01.intranet.domain.com"
        EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364
        Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module "add-dollar-sign" returns ok for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '\' in User-Name = "itf-toshiba-asd$", looking up realm NULL
    rlm_realm: No such realm "NULL"
modcall[authorize]: module "DOMAIN" returns noop for request 2
rlm_eap: EAP packet type response id 1 length 25
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (&(cn=wireless)(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$)))
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for itf-toshiba-asd$
radius_xlat: '(uid=itf-toshiba-asd$)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$)
rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [W          ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value 78389E5DE0CCA3A288568FADB746063D & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user itf-toshiba-asd$ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds

A.L.M.Buxey@lboro.ac.uk wrote:

Hi,

I need machines to be able to authenticate so that when a user who has 
never logged onto a computer can, by the machine have an active network 
connection and pulling the credentials from the samba-ldap domain. I 
have a realm setup to strip the domain/ part of the username which works 
fine, but I need to figure out how to add a $ at the end of anything 
that tries to connect as uid=host/computername. I'm sure I can figure 
out how to strip the host prefix, but can't quit figure out how to add 
the $ to the end. Thanks.


use the link on the novell site as per the discussions earlier today.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Follow-Ups:
- Re: Add $ to end of machine account uid
  - From: A.L.M.Buxey@lboro.ac.uk

References:
- Add $ to end of machine account uid
  - From: Cody Jarrett <cody.jarrett@itfreedom.com>
- Re: Add $ to end of machine account uid
  - From: A.L.M.Buxey@lboro.ac.uk

Previous by Date: RE: Freeradius-Users Digest, Vol 27, Issue 24
Next by Date: Re: Freeradius-Users Digest, Vol 27, Issue 24
Previous by Thread: Re: Add $ to end of machine account uid
Next by Thread: Re: Add $ to end of machine account uid
Freeradius-Users July 2007 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.