LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Hi, Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute.... PEAP: Got tunneled EAP-Message EAP-Message = 0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5 PEAP: Setting User-Name to ac221@sussex.ac.uk PEAP: Sending tunneled request EAP-Message = 0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ac221@sussex.ac.uk" State = 0xc771177ac78f0d80e7ad35c717d8d32f Framed-MTU = 1480 NAS-IP-Address = 139.184.6.156 NAS-Identifier = "hp-e-falm-g-77-sw1" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "001c2ec47180" Calling-Station-Id = "001b63a3a8dd" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" server default-inner { +- entering group authorize expand: %{outer.request:Realm} -> local expand: %{outer.request:NAS-Flags} -> 010010110000000 expand: %{outer.request:SS-Flags} -> 0000000000 expand: %{outer.request:Supplicant-Flags} -> 0001000000 expand: %{outer.request:Called-Station-SSID} -> ++[request] returns notfound ++? if ("%{User-Name}") expand: %{User-Name} -> ac221@sussex.ac.uk ? Evaluating ("%{User-Name}") -> TRUE ++? if ("%{User-Name}") -> TRUE ++- entering if ("%{User-Name}") +++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) expand: %{User-Name} -> ac221@sussex.ac.uk ? Evaluating ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE +++? if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) -> TRUE +++- entering if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) expand: %{1} -> ac221 ++++[request] returns notfound expand: %{3} -> sussex.ac.uk expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk ++++[request] returns notfound +++- if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) returns notfound +++ ... skipping else for request 5: Preceding "if" was taken ++- if ("%{User-Name}") returns notfound rlm_ldap: - authorize rlm_ldap: Attribute "User-Name" is required for authorization. ++[ldap] returns noop Relevant filter line in LDAP is : filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" Why is there now a static requirement for the User-Name attribute to be present anyway? Especially when the filter is defined in the config... -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute....
Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Alan DeKok.
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute....
Arg... grab src/main/evaluate.c from CVS.
In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA.
Yep that worked. 2.041?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute....
Arg... grab src/main/evaluate.c from CVS.
In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA.
Yep that worked. 2.041?
Erg now it's not working in the outer tunnel for with LDAP... Thanks, Arran
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran
participants (2)
-
Alan DeKok -
Arran Cudbard-Bell