LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu May 1 15:58:05 CEST 2008


Hi,

Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP 
module fails lookups because it claims it can't find the User-Name 
attribute....

  PEAP: Got tunneled EAP-Message
    EAP-Message = 
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5
  PEAP: Setting User-Name to ac221 at sussex.ac.uk
  PEAP: Sending tunneled request
    EAP-Message = 
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "ac221 at sussex.ac.uk"
    State = 0xc771177ac78f0d80e7ad35c717d8d32f
    Framed-MTU = 1480
    NAS-IP-Address = 139.184.6.156
    NAS-Identifier = "hp-e-falm-g-77-sw1"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 1
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "1"
    Called-Station-Id = "001c2ec47180"
    Calling-Station-Id = "001b63a3a8dd"
    Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
server default-inner {
+- entering group authorize
    expand: %{outer.request:Realm} -> local
    expand: %{outer.request:NAS-Flags} -> 010010110000000
    expand: %{outer.request:SS-Flags} -> 0000000000
    expand: %{outer.request:Supplicant-Flags} -> 0001000000
    expand: %{outer.request:Called-Station-SSID} ->
++[request] returns notfound
++? if ("%{User-Name}")
    expand: %{User-Name} -> ac221 at sussex.ac.uk
? Evaluating ("%{User-Name}") -> TRUE
++? if ("%{User-Name}") -> TRUE
++- entering if ("%{User-Name}")
+++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
    expand: %{User-Name} -> ac221 at sussex.ac.uk
? Evaluating ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
+++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
+++- entering if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
    expand: %{1} -> ac221
++++[request] returns notfound
    expand: %{3} -> sussex.ac.uk
    expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk
++++[request] returns notfound
+++- if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns notfound
+++ ... skipping else for request 5: Preceding "if" was taken
++- if ("%{User-Name}") returns notfound
rlm_ldap: - authorize
rlm_ldap: Attribute "User-Name" is required for authorization.
++[ldap] returns noop

Relevant filter line in LDAP is :

filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

Why is there now a static requirement for the User-Name attribute to be present anyway? Especially when the filter is defined in the config...
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900




More information about the Freeradius-Users mailing list