LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4

Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> · Thu, 01 May 2008 14:58:05 +0100

Hi,

Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP 

module fails lookups because it claims it can't find the User-Name 

attribute....

 PEAP: Got tunneled EAP-Message

   EAP-Message = 

0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5

 PEAP: Setting User-Name to ac221@sussex.ac.uk
 PEAP: Sending tunneled request

   EAP-Message = 

0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5

   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "ac221@sussex.ac.uk"
   State = 0xc771177ac78f0d80e7ad35c717d8d32f
   Framed-MTU = 1480
   NAS-IP-Address = 139.184.6.156
   NAS-Identifier = "hp-e-falm-g-77-sw1"
   Service-Type = Framed-User
   Framed-Protocol = PPP
   NAS-Port = 1
   NAS-Port-Type = Ethernet
   NAS-Port-Id = "1"
   Called-Station-Id = "001c2ec47180"
   Calling-Station-Id = "001b63a3a8dd"
   Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "1"
server default-inner {
+- entering group authorize
   expand: %{outer.request:Realm} -> local
   expand: %{outer.request:NAS-Flags} -> 010010110000000
   expand: %{outer.request:SS-Flags} -> 0000000000
   expand: %{outer.request:Supplicant-Flags} -> 0001000000
   expand: %{outer.request:Called-Station-SSID} ->
++[request] returns notfound
++? if ("%{User-Name}")
   expand: %{User-Name} -> ac221@sussex.ac.uk
? Evaluating ("%{User-Name}") -> TRUE
++? if ("%{User-Name}") -> TRUE
++- entering if ("%{User-Name}")
+++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
   expand: %{User-Name} -> ac221@sussex.ac.uk
? Evaluating ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
+++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE
+++- entering if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
   expand: %{1} -> ac221
++++[request] returns notfound
   expand: %{3} -> sussex.ac.uk
   expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk
++++[request] returns notfound
+++- if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns notfound
+++ ... skipping else for request 5: Preceding "if" was taken
++- if ("%{User-Name}") returns notfound
rlm_ldap: - authorize
rlm_ldap: Attribute "User-Name" is required for authorization.
++[ldap] returns noop

Relevant filter line in LDAP is :

filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

Why is there now a static requirement for the User-Name attribute to be present anyway? Especially when the filter is defined in the config...
--
Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)
Authentication, Authorisation and Accounting Officer

Infrastructure Services | ENG1 E1-1-08 

University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900