Hello All, We are in the process of migrating users from one AD tree to another. The migrated accounts will exist in both AD directories for a while (usernames will not change) and I need to be able to choose a radius server based on an LDAP group membership. I have this working fine for cases where users do not supply a realm but I am not sure of the best way to do this for users that do supply an ntdomain-style realm. In the new domain, no one requires a realm (need to strip if the user has already been migrated), while the old domain has several child domains. I am using FR 2.1.10. I was not successful trying to change the proxy server after one had already been chosen. I tried to remove the Realm attribute in the authorize section but the request still went to the initially chosen radius pool. I tried stripping the realm manually prior to realm processing in authorize {} but have not been successful yet. I am using a simple regex like this: if (User-Name =~ /^[A-z]+\\(.*)/) { update request { Stripped-User-Name := "%{1}" } } This always fails for 'radtest realm\\user'. Am I missing something or is there a more elegant way to accomplish this? Thanks very much, David
Thanks for the suggestion, Alan. I have the regex matching successfully now. However, I am unclear about how to resolve the next issue. I have the following configuration in authorize: if (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) { update request { Stripped-User-Name := "%{3}" } } ntdomain It appears that the =~ line updates User-Name, preventing ntdomain from proxying the request. I tried manually resetting it in the update block with User-Name := "%{0}" but I am getting the same results: rad_recv: Access-Request packet from host 127.0.0.1 port 38669, id=107, length=62 User-Name = "realm\\user" User-Password = "xxxxx" NAS-IP-Address = x.x.x.x NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++? if (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) ? Evaluating (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) -> TRUE ++? if (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) -> TRUE ++- entering if (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) {...} expand: %{0} -> realm\\user expand: %{3} -> user +++[request] returns ok ++- if (User-Name =~ /(^[a-z]+)(\\\\+)([a-z0-9]+$)/i) returns ok [ntdomain] No '\' in User-Name = "user", skipping NULL due to config. ++[ntdomain] returns noop The problem is that if the user has not been migrated to the new domain I need to retain the supplied realm information and proxy realm\user to the old radius server. What else can I do to accomplish this? Thanks much, David On Wed, Sep 29, 2010 at 5:43 AM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
if (User-Name =~ /^[A-z]+\\(.*)/) {
not sure of that syntax for regex - char matching is a little more fussy, try this
if (User-Name =~ /^[a-z]+\\(.*)/i) {
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David McPike wrote:
The problem is that if the user has not been migrated to the new domain I need to retain the supplied realm information and proxy realm\user to the old radius server.
What else can I do to accomplish this?
update control { Proxy-To-Realm := "foo" } That is *all* that the "realm" module does. You can do it, too. If you over-write an existing "Proxy-To-Realm" setting, then the old one is ignored, and the new one is applied. Alan DeKok.
Excellent! Thanks, Alan. I have all my test cases working now except for one. I still need to retain the original realm information in the supplied User-Name. The old radius server needs it as part of the username to know which child domain controller to contact for authentication, otherwise auth fails. In other words, if I proxy to the old radius server, the username needs to be realm\user again. Thanks for any further insight. David On Wed, Sep 29, 2010 at 11:39 AM, Alan DeKok <aland@deployingradius.com> wrote:
David McPike wrote:
The problem is that if the user has not been migrated to the new domain I need to retain the supplied realm information and proxy realm\user to the old radius server.
What else can I do to accomplish this?
update control { Proxy-To-Realm := "foo" }
That is *all* that the "realm" module does. You can do it, too. If you over-write an existing "Proxy-To-Realm" setting, then the old one is ignored, and the new one is applied.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David McPike wrote:
Excellent! Thanks, Alan. I have all my test cases working now except for one. I still need to retain the original realm information in the supplied User-Name. The old radius server needs it as part of the username to know which child domain controller to contact for authentication, otherwise auth fails.
In other words, if I proxy to the old radius server, the username needs to be realm\user again.
Set "nostrip" in the realm configuration. Alan DeKok.
In other words, if I proxy to the old radius server, the username needs to be realm\user again.
Set "nostrip" in the realm configuration.
I finally have a solution. I wanted to keep strip enabled because I have to perform the LDAP query on the stripped username. So, I added the following logic to pre-proxy {}: # non-migrated old child domain user if ("%{control:Proxy-To-Realm}" != "newrealm" && Realm) { update proxy-request { User-Name := "%{Stripped-User-Name}@%{Realm}" } } This allows me to authenticate all child domain users from a single old parent domain controller instead of having IAS servers installed in every child domain. I just had to re-read the unlang man page enough times to get all the pieces. Thanks for all your help! David
participants (3)
-
Alan Buxey -
Alan DeKok -
David McPike