<HTML><HEAD>
<META content="text/html; charset=iso-8859-15" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 9.00.8112.16434"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hi All,</DIV>
<DIV> </DIV>
<DIV> I hate to post this here, I am sure there is a fairly simple thing to do this but I have been looking and can't seem to find how to do it.</DIV>
<DIV> </DIV>
<DIV> So we have users that typically login with a relative context. So there is a base context set to say ou=HS1.o=students, then they type in their name with a relative context, so it may be jsmith.y2012, with our network it sends to the server jsmith.y2012.hs1.students and logs in just fine. The problem we are having is that freeradius is getting the jsmith.y2012 as the username and trying to send that to ldap that first does not understand "." and second the ldap side is a flattened tree to speed up lookups so there is no sub-context. </DIV>
<DIV> </DIV>
<DIV> So the solution would seem to be to strip everything after the '.' so "jsmith.y2012" becomes just "jsmith". So I have been approaching it from this side and have tried using hints and attr_rewrite to do it. I am sure I missed something in each of them because it seems either should work, especially after reading a lot of the archived threads. So this is what I have done so far:</DIV>
<DIV> </DIV>
<DIV>created a "relative_username" module and placed it in /etc/raddb/modules directory. Contents are :</DIV>
<DIV> </DIV>
<DIV> <STRONG>attr_rewrite relative_username{<BR> attribute = User-Name<BR> searchin = packet<BR> searchfor = ".y2012"<BR> replacewith = ""<BR> ignore_case = yes<BR> max_matches = 1<BR> append = no<BR> }</STRONG></DIV>
<DIV><STRONG><BR></STRONG> This is just for testing, I originally tried a regex expression of "<STRONG>searchfor =~ "^\w*</STRONG>" and "<STRONG>searchfor = "^\w*</STRONG>" but the unlang equal for regex poped with an error and the regual = I do not think recognized regex so I assumed that meant the regex was not supported in this module. Anyway, I have been testing the rewrite with a literal for a specific user to just see if it will work and does not seem to work.</DIV>
<DIV> </DIV>
<DIV> From here I call the relative_username in the /etc/raddb/sites_enabled/Radsite file in the Authorize section</DIV>
<DIV> </DIV>
<DIV><STRONG>authorize {<BR> relative_username<BR></STRONG><BR> With this everything loads find and running radiusd -X I see that it is still trying to send the info to the LDAP server as jsmith.y2012 and of course it is failing.</DIV>
<DIV> </DIV>
<DIV> So on the hints side I was a little unsure of how it worked so I tried :</DIV>
<DIV> </DIV>
<DIV><STRONG>DEFAULT User-Name =~ "^\w+"<BR> User-Name := "%{1}"</STRONG></DIV>
<DIV> </DIV>
<DIV> That also did not seem to have an affect. </DIV>
<DIV> </DIV>
<DIV> So I am sure I am either barking up the wrong tree with both of these approaches or I am missing something in here. I should also mention, if I do not use the relative context the users authenticates just fine all is good in the world, it is just that darn trailing .y2012 that is the issue.</DIV>
<DIV> </DIV>
<DIV> Sorry ahead of time if this is really a stupid question, I am still learning freeradius (which I think is awesome)...</DIV>
<DIV> </DIV>
<DIV>So the debug log is below but it basically shows a object not found.</DIV>
<DIV> </DIV>
<DIV><STRONG>rad_recv: Access-Request packet from host 10.2.2.100 port 36360, id=239, length=65<BR> User-Name = "jsmith.y2012"<BR> User-Password = "123454"<BR> NAS-IP-Address = 10.2.2.100<BR> NAS-Port = 1813<BR>+- entering group authorize {...}<BR>[preprocess] expand: %{User-Name} -> jsmith.y2012<BR>++[preprocess] returns ok<BR>++[chap] returns noop<BR>[suffix] No </STRONG><A href="mailto:'@'"><STRONG>'@'</STRONG></A><STRONG> in User-Name = "jsmith.y2012", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[eap] No EAP-Message, not doing EAP<BR>++[eap] returns noop<BR>++[unix] returns notfound<BR>++[files] returns noop<BR>[ldap] performing user authorization for jsmith.y2012<BR>[ldap] expand: (cn=%{mschap:User-Name:-%{User-Name}}) -> (cn=jsmith.y2012)<BR>[ldap] expand: o=musd -> o=musd<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to 10.###.###.###:636, authentication 0<BR>rlm_ldap: setting TLS mode to 1<BR>rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder2.b64<BR>rlm_ldap: bind as cn=#######,ou=Radius,o=servers/######### to 10.###.###.###:636<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was successful<BR>rlm_ldap: performing search in o=musd, with filter (cn=jsmith.y2012)<BR>rlm_ldap: object not found or got ambiguous search result<BR>[ldap] search failed<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>++[ldap] returns notfound<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<BR>++[pap] returns noop<BR>No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<BR>Failed to authenticate the user.<BR>Using Post-Auth-Type Reject<BR>+- entering group REJECT {...}<BR>[attr_filter.access_reject] expand: %{User-Name} -> jsmith.y2012<BR> attr_filter: Matched entry DEFAULT at line 11<BR>++[attr_filter.access_reject] returns updated<BR>Delaying reject of request 0 for 1 seconds<BR>Going to the next request<BR>Waking up in 0.9 seconds.<BR>Sending delayed reject for request 0<BR>Sending Access-Reject of id 239 to 10.2.2.100 port 36360<BR>Waking up in 4.9 seconds.<BR>Cleaning up request 0 ID 239 with timestamp +10<BR>Ready to process requests.<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV></STRONG> </DIV>
<DIV><FONT size=4 face="Times New Roman TUR"><STRONG>Brett Littrell<BR>Network Manager<BR>Milpitas Unified School District<BR><A href="mailto:blittrell@musd.org">blittrell@musd.org</A><BR>Ph# (408)635-2600 X6086</STRONG></FONT></DIV>
<DIV><FONT size=4 face="Times New Roman TUR"><STRONG>Fax# (408)635-2632</STRONG></FONT></DIV>
<DIV><STRONG><FONT size=4 face="Times New Roman TUR"><EM>CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA</EM></FONT></STRONG></DIV>
<DIV><STRONG><FONT size=4 face="Times New Roman TUR"><EM></EM></FONT></STRONG></DIV></BODY></HTML>