Problems with User-Name/Stripped-User-Name
Hello. Is it possible to have the stripped username stored somewhere, even if I set 'nostrip' for a realm in proxy.conf? My setting is this, and this is the only problem I have left on my server: 01 I have a realm example.com, and this realm has 'nostrip' in it's definition in proxy.conf 02 If I detect it's an EAP request I proxy it to another realm (in the users file) and this works great - as 'user@example.com'. 03 If it's not an EAP request I want the local LDAP module to handle the request, just that I now need the stripped username, and the realm has already made it 'nostrip'. Here I want just 'user' instead of 'user@example.com'. If I change the filter in the LDAP module to match on %{Stripped-User-Name}, then this is offcourse empty. It would be nice to %have some way to make both User-Name and Stripped-User-Name exist at the %same time. If I remove the 'nostrip' from the realm it works for local ldap module handling but not for proxy to remote server for EAP, because that server requires the full non-stripped username. Any hints as to fix this little problem? - Erling -- ----------------|sig|--- Erling.Paulsen@cc.uit.no Nettseksjonen, ITavd UiT
Erling Paulsen wrote:
Is it possible to have the stripped username stored somewhere, even if I set 'nostrip' for a realm in proxy.conf?
You can create the attribute Stripped-User-Name with an other module than rlm_realm. For example, you could have in radiusd.conf: modules { attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchin = packet searchfor = "" replacewith = "%{User-Name}" } attr_rewrite strip.user-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "@.*$" replacewith = "" max_matches = 1 } ... } authorize { copy.user-name strip.user-name ... } -- Nicolas Baradakis
On Wed, Jul 27, 2005 at 03:27:57PM +0200,Nicolas Baradakis, The Induhvidual, scrabbled:
Erling Paulsen wrote:
Is it possible to have the stripped username stored somewhere, even if I set 'nostrip' for a realm in proxy.conf?
You can create the attribute Stripped-User-Name with an other module than rlm_realm. For example, you could have in radiusd.conf:
modules { attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchin = packet searchfor = "" replacewith = "%{User-Name}" }
attr_rewrite strip.user-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "@.*$" replacewith = "" max_matches = 1 } ... }
authorize { copy.user-name strip.user-name ... }
Excellent Nicolas, that got me in the right direction! Only that, if there is a 'Stripped-User-Name' attribute in the request, it seems that the server automatically uses this instead of 'User-Name' when proxying. I fixed it a little "dirty" by rewriting the stripped username to the 'Hint' attribute - using %{Hint} in the ldap filter, and then 'User-Name' can be used in all its full glory for EAP proxy to the remote server. If I ever must use the Hint attr I will remake a better solution. Thanks! - Erling -- ----------------|sig|--- Erling.Paulsen@cc.uit.no Nettseksjonen, ITavd UiT
Erling Paulsen wrote:
Only that, if there is a 'Stripped-User-Name' attribute in the request, it seems that the server automatically uses this instead of 'User-Name' when proxying.
Ah, yes. I didn't know the server does that. Question for Alan: in src/main/proxy.c should we check the value of realm.striprealm before overwriting the User-Name with the Stripped-User-Name?
I fixed it a little "dirty" by rewriting the stripped username to the 'Hint' attribute - using %{Hint} in the ldap filter, and then 'User-Name' can be used in all its full glory for EAP proxy to the remote server.
If I ever must use the Hint attr I will remake a better solution.
You could add an additional attribute at the end of /etc/raddb/dictionnary for that purpose. -- Nicolas Baradakis
participants (3)
-
Alan DeKok -
Erling Paulsen -
Nicolas Baradakis