Yedidia Klein wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in the form of user@domain.tld, that (of course) my ldap don't know and refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success.
Two ways: 1. Use /etc/raddb/hints to rewrite the packet, e.g. DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$" User-Name := `%{1}` # or maybe DEFAULT Suffix = "@domain.tld", Strip-User-Name = Yes Hint = "FromTheIsp" 2. Use the proxy/realm feature - see the various "realm" module definitions in radiusd.conf and the realm definitions in proxy.conf. Basically: modules { realm suffix { format = suffix delimiter = "@" ignore_default = yes ignore_null = yes } } authorize { preprocess suffix ldap # other stuff } ...then in proxy.conf: realm domain.tld { type = radius authhost = LOCAL accthost = LOCAL strip } Method 1. is simpler and probably best for this situation. Method 2. is really intended for when you make requests to another server, as opposed to when they make them to you.