UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Riccardo Veraldi Sent: Friday, 23 May 2008 16:43 To: FreeRadius users mailing list Subject: Re: radius x509 authentication + LDAP ?
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or Mail? If so change your filter: filter = "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it)) " Provided that the record is located, radius will use the dn of the record to authenticate. I don't know why failed ldap lookups aren't rejecting the request. Maybe you don't have ldap block in the authenticate section. Regards, Frank Ranner