Strip off the domain part from the User-Name
Thomas Wunder
thomas.wunder at swt-bamberg.de
Fri Mar 25 15:41:06 CET 2011
On Friday 25 March 2011 11:15:58 you wrote:
> Use %{mschap:User-Name} everywhere; this will give the bare username
That sounds consequent but what exactly do you mean by "everywhere"?
I use the policy.conf (as you can see by the debug output from my previous posting) to define some policies that are later on used within the 'authorize {...}' groups of sites-available/default and sites-available/inner-tunnel. I don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group information from my LDAP-server. The only place where I consciously reference any User-Name attribute is the modules/ldap and there I already do as you suggest (see attachment).
Where else do I need to explicitly specify '%{mschap:User-Name}' to have rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have rlm_mschap ignore the domain component of the user name)?
My modules/mschap config file is pretty lucid at present:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
And what about the realms approach? Can I save the trouble?
> (and also correctly translate host/name.domain.com, if you later do
> machine auth)
Thanks!
-------------- next part --------------
policy {
prefer_kerberos{
if( User-Password ){
update control {
Auth-Type:=Kerberos
}
}
else {
#update control {
# Auth-Type:=MS-CHAP
#}
mschap
}
}
swt_vpn_policy{
if( Called-Station-Id == "vpn1" && LDAP-Group == "vpn-staff" ){
update control {
Pool-Name:="vpn_staff"
Auth-Type:=MS-CHAP
}
}
elsif( Called-Station-Id == "vpn2" && LDAP-Group == "vpn-others" ){
update control {
Pool-Name:="vpn_others"
Auth-Type:=MS-CHAP
}
}
#elsif( Called-Station-Id == "c0-91-34-c3-44-00" && ( LDAP-Group == "swtswitch01-staff" || LDAP-Group == "swtswitch01-others" ) ){
# prefer_kerberos
#}
}
swt_policy{
################################################################################################################
#
# STAFF Logins
#
################################################################################################################
if( ( outer.request:Called-Station-Id == "02-6F-83-3A-AD-B8:staff.1.swt.wiai.uni-bamberg.de" || Called-Station-Id == "02-6F-83-3A-AD-B8:staff.1.swt.wiai.uni-bamberg.de" ) && LDAP-Group == "ap_llab-staff" ){
prefer_kerberos
}
elsif( ( outer.request:Called-Station-Id == "0013100adbcf" || Called-Station-Id == "0013100adbcf" ) && LDAP-Group=="ap_llab-staff" ){
prefer_kerberos
}
elsif( ( outer.request:Called-Station-Id == "02-6F-83-3A-B5-E8:staff.2.swt.wiai.uni-bamberg.de" || Called-Station-Id == "02-6F-83-3A-B5-E8:staff.2.swt.wiai.uni-bamberg.de" ) && LDAP-Group == "ap_slab-staff" ){
prefer_kerberos
}
################################################################################################################
#
# OTHERS Logins
#
################################################################################################################
elsif( outer.request:Called-Station-Id == "02-6F-83-3A-AD-B9:others.1.swt.wiai.uni-bamberg.de" || Called-Station-Id == "02-6F-83-3A-AD-B9:others.1.swt.wiai.uni-bamberg.de" ){
prefer_kerberos
}
elsif( outer.request:Called-Station-Id == "02-6F-83-3A-B5-E9:others.2.swt.wiai.uni-bamberg.de" || Called-Station-Id == "02-6F-83-3A-B5-E9:others.2.swt.wiai.uni-bamberg.de" ){
prefer_kerberos
}
################################################################################################################
#
# Wired 802.1X Logins (OTHERS/STAFF)
#
################################################################################################################
elsif( ( outer.request:Called-Station-Id == "c0-91-34-c3-44-00" || Called-Station-Id == "c0-91-34-c3-44-00" ) && ( LDAP-Group == "swtswitch01-staff" || LDAP-Group == "swtswitch01-others" ) ){
prefer_kerberos
}
################################################################################################################
#
# reject everybody else
#
################################################################################################################
else{
reject
}
}
################################################################################################################
#
# VLAN Assignment should be done in the post-auth group (of default or inner-tunnel)
#
################################################################################################################
assign_vlan_policy{
if( ( outer.request:Called-Station-Id == "c0-91-34-c3-44-00" || Called-Station-Id == "c0-91-34-c3-44-00" ) ){
if( LDAP-Group == "swtswitch01-staff" ){
update reply {
Tunnel-Private-Group-Id:0 := "2048"
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Type:0 := VLAN
}
}
elsif( LDAP-Group == "swtswitch01-others" ){
update reply {
Tunnel-Private-Group-Id:0 := "2049"
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Type:0 := VLAN
}
}
}
}
}
-------------- next part --------------
ldap {
<< some ldap connection specific secret options were left out >>
#filter = "(&(objectClass=posixAccount)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
filter = "(&(objectClass=posixAccount)(uid=%{mschap:User-Name:-%{User-Name}}))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
# LDAP-Group processing
groupname_attribute = cn
# we need to search for 'uid' or 'memberUid' because according to the schema one can only add 'memberUid' manually though the
# ldap-autogroup overlay uses 'uid' instead (even though this is a schema violation)
#groupmembership_filter = "(&(objectClass=posixGroup)(|(uid=%{Stripped-User-Name:-%{User-Name}})(memberUid=%{Stripped-User-Name:-%{User-Name}})))"
groupmembership_filter = "(&(objectClass=posixGroup)(|(uid=%{mschap:User-Name:-%{User-Name}})(memberUid=%{mschap:User-Name:-%{User-Name}})))"
groupmembership_attribute = radiusGroupName
}
More information about the Freeradius-Users
mailing list