Hello list, I'm using freeradius server as a radius server that forward the auth to an LDAP server, on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3) I want one of my service providers to authenticate against this radius, After enabling some debug option I found that it sends me the users in the form of user@domain.tld, that (of course) my ldap don't know and refuse to auth. Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ? I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success. thanks, --Yedidia
Yedidia Klein wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in the form of user@domain.tld, that (of course) my ldap don't know and refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success.
Two ways: 1. Use /etc/raddb/hints to rewrite the packet, e.g. DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$" User-Name := `%{1}` # or maybe DEFAULT Suffix = "@domain.tld", Strip-User-Name = Yes Hint = "FromTheIsp" 2. Use the proxy/realm feature - see the various "realm" module definitions in radiusd.conf and the realm definitions in proxy.conf. Basically: modules { realm suffix { format = suffix delimiter = "@" ignore_default = yes ignore_null = yes } } authorize { preprocess suffix ldap # other stuff } ...then in proxy.conf: realm domain.tld { type = radius authhost = LOCAL accthost = LOCAL strip } Method 1. is simpler and probably best for this situation. Method 2. is really intended for when you make requests to another server, as opposed to when they make them to you.
I was able to strip the domain portion of it by having radius execute an external script. Here is what I have in radius to execute the external script.. ldap ldap_ldap1 { server = "" identity = "" password = "" #basedn = "" basedn = "" # filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" filter = "(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb /nodomain.pl %u})" I wrote a perl script to strip that off, using a shell script it always add a return character which adds a space after the uid. --- Yedidia Klein <yedidia@jct.ac.il> wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in the form of user@domain.tld, that (of course) my ldap don't know and refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success.
thanks,
--Yedidia
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
thanks, this way did it. --yedidia fvt3 wrote:
I was able to strip the domain portion of it by having radius execute an external script. Here is what I have in radius to execute the external script..
ldap ldap_ldap1 { server = "" identity = "" password = "" #basedn = "" basedn = "" # filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" filter = "(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb /nodomain.pl %u})"
I wrote a perl script to strip that off, using a shell script it always add a return character which adds a space after the uid.
--- Yedidia Klein <yedidia@jct.ac.il> wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in the form of user@domain.tld, that (of course) my ldap don't know and refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success.
thanks,
--Yedidia
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
fvt3 -
Phil Mayers -
Yedidia Klein