I have this problem. if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant) my email address is extracted in some way as the user name. the uid is recognized as the parte before the "@" so my real username in LDAP (which is different) is not recognized as a valid user. Neverless I am authenticated anyway. So I have a doulbe problem 1) How to check against LDAP correctly, thus extracting my correct username from email address upon radius authorization request to ldap. 2) if a user is not found how to drop it, avoiding radius authorization to take place rlm_ldap: performing user authorization for Riccardo.Veraldi radius_xlat: '(uid=Riccardo.Veraldi)' radius_xlat: 'ou=people,o=city,o=myorg,c=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=city,o=myorg,c=it, with filter (uid=Riccardo.Veraldi) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 11 modcall: group authorize returns updated for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 11 modcall: group authenticate returns ok for request 11 Login OK: [Riccardo.Veraldi@city.myorg.it] (from client ciscoap3 port 451 cli 001e.5271.e700) Sending Access-Accept of id 73 to 192.168.252.13:1645 my correct username in LDAP is veraldi thank you very much Riccardo Alan DeKok ha scritto:
Riccardo Veraldi wrote:
After authentication I would like to chack the common name or email address propertires of te certificate againsta LDAP, to authorize the user connection.
It comes in the User-Name attribute.
is it possible to do this ? I tyed but it seems not working in my configuration. any hints ?
Give us more information?
Q: Hi, I tried to do stuff, but it didn't work. How do I fix it? A: Uh... your guess is as good as mine.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html