Hi Corey, You don't have debug output for the "username without realm", but I suspect what is happening is the Sripped-User-Name attribute is not being added, because the username doesn't need to be stripped! You can try: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" Which will use Stripped-User-Name if it is present, otherwise User-Name. cheers, Mike ________________________________ From: freeradius-users-bounces+michael.mitchell=team.telstra.com@lists.freerad ius.org [mailto:freeradius-users-bounces+michael.mitchell=team.telstra.com@lists .freeradius.org] On Behalf Of Corey Burks Sent: Friday, 19 May 2006 4:02 PM To: freeradius-users@lists.freeradius.org Subject: LDAP and realms We have 2 clients authenticating user one passes simply the uid (cburks) and users authenticate properly. The other client is passing username and realm (cburks@zhone.com), which fails. I have configured zhone.com realm in the proxy.conf file like this: realm zhone.com { type = radius authhost = LOCAL accthost = LOCAL } Radiusd.conf file has the following in the ldap section. filter = "(uid=%u)" Which works for username only and username + realm does not work if I switch to: filter = "(uid=%{Stripped-User-Name})" username + realm works and username alone fails. Is there a way different way to strip off the realm, so I can have both ways working? Thanks Corey When I run radiusd in debug I see that the realm is getting stripped but the username and relam are still being passed to LDAP. Debug output: rad_recv: Access-Request packet from host 172.16.15.251:2502, id=20, length=80 User-Name = "cburks@zhone.com" User-Password = "password" Vendor-3076-Attr-32 = 0x00000004 NAS-IP-Address = 172.16.15.251 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "zhone.com" for User-Name = "cburks@zhone.com" rlm_realm: Found realm "zhone.com" rlm_realm: Adding Stripped-User-Name = "cburks" rlm_realm: Proxying request from user cburks to realm zhone.com rlm_realm: Adding Realm = "zhone.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 270 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for cburks radius_xlat: '(uid=cburks@zhone.com)' radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to newldap.oak.zhone.com:389, authentication 0 rlm_ldap: bind as uid=radius,o=oak.zhone.com,o=zhone.com/password to newlda p.oak.zhone.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with filte r (uid=cburks@zhone.com) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "cburks" with password "password" radius_xlat: '(uid=cburks@zhone.com)' radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with filte r (uid=cburks@zhone.com) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: leaving group LDAP (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [cburks@zhone.com/password] (from cl ient zw2-vpn1 port 0) Delaying request 0 for 1 seconds Finished request 0
That worked, thank you for your help Corey _____ From: freeradius-users-bounces+cburks=zhone.com@lists.freeradius.org [mailto:freeradius-users-bounces+cburks=zhone.com@lists.freeradius.org] On Behalf Of Mitchell, Michael J Sent: Thursday, May 18, 2006 11:20 PM To: FreeRadius users mailing list Subject: RE: LDAP and realms Hi Corey, You don't have debug output for the "username without realm", but I suspect what is happening is the Sripped-User-Name attribute is not being added, because the username doesn't need to be stripped! You can try: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" Which will use Stripped-User-Name if it is present, otherwise User-Name. cheers, Mike _____ From: freeradius-users-bounces+michael.mitchell=team.telstra.com@lists.freeradius. org [mailto:freeradius-users-bounces+michael.mitchell=team.telstra.com@lists.fre eradius.org] On Behalf Of Corey Burks Sent: Friday, 19 May 2006 4:02 PM To: freeradius-users@lists.freeradius.org Subject: LDAP and realms We have 2 clients authenticating user one passes simply the uid (cburks) and users authenticate properly. The other client is passing username and realm (cburks@zhone.com), which fails. I have configured zhone.com realm in the proxy.conf file like this: realm zhone.com { type = radius authhost = LOCAL accthost = LOCAL } Radiusd.conf file has the following in the ldap section. filter = "(uid=%u)" Which works for username only and username + realm does not work if I switch to: filter = "(uid=%{Stripped-User-Name})" username + realm works and username alone fails. Is there a way different way to strip off the realm, so I can have both ways working? Thanks Corey When I run radiusd in debug I see that the realm is getting stripped but the username and relam are still being passed to LDAP. Debug output: rad_recv: Access-Request packet from host 172.16.15.251:2502, id=20, length=80 User-Name = "cburks@zhone.com" User-Password = "password" Vendor-3076-Attr-32 = 0x00000004 NAS-IP-Address = 172.16.15.251 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "zhone.com" for User-Name = "cburks@zhone.com" rlm_realm: Found realm "zhone.com" rlm_realm: Adding Stripped-User-Name = "cburks" rlm_realm: Proxying request from user cburks to realm zhone.com rlm_realm: Adding Realm = "zhone.com" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 270 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for cburks radius_xlat: '(uid=cburks@zhone.com)' radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to newldap.oak.zhone.com:389, authentication 0 rlm_ldap: bind as uid=radius,o=oak.zhone.com,o=zhone.com/password to newlda p.oak.zhone.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with filte r (uid=cburks@zhone.com) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "cburks" with password "password" radius_xlat: '(uid=cburks@zhone.com)' radius_xlat: 'ou=people,o=oak.zhone.com,o=zhone.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with filte r (uid=cburks@zhone.com) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: leaving group LDAP (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [cburks@zhone.com/password] (from cl ient zw2-vpn1 port 0) Delaying request 0 for 1 seconds Finished request 0
participants (2)
-
cburks@zhone.com -
Mitchell, Michael J