Problems with User-Name/Stripped-User-Name
Erling Paulsen
erling.paulsen at cc.uit.no
Wed Jul 27 16:36:35 CEST 2005
On Wed, Jul 27, 2005 at 03:27:57PM +0200,Nicolas Baradakis, The Induhvidual, scrabbled:
> Erling Paulsen wrote:
>
> > Is it possible to have the stripped username stored somewhere, even
> > if I set 'nostrip' for a realm in proxy.conf?
>
> You can create the attribute Stripped-User-Name with an other module
> than rlm_realm. For example, you could have in radiusd.conf:
>
> modules {
> attr_rewrite copy.user-name {
> attribute = Stripped-User-Name
> new_attribute = yes
> searchin = packet
> searchfor = ""
> replacewith = "%{User-Name}"
> }
>
> attr_rewrite strip.user-name {
> attribute = Stripped-User-Name
> new_attribute = no
> searchin = packet
> searchfor = "@.*$"
> replacewith = ""
> max_matches = 1
> }
> ...
> }
>
> authorize {
> copy.user-name
> strip.user-name
> ...
> }
Excellent Nicolas, that got me in the right direction!
Only that, if there is a 'Stripped-User-Name' attribute in the request, it
seems that the server automatically uses this instead of 'User-Name' when
proxying.
I fixed it a little "dirty" by rewriting the stripped username to
the 'Hint' attribute - using %{Hint} in the ldap filter, and then
'User-Name' can be used in all its full glory for EAP proxy to the remote
server.
If I ever must use the Hint attr I will remake a better solution.
Thanks!
- Erling
--
----------------|sig|---
Erling.Paulsen at cc.uit.no
Nettseksjonen, ITavd UiT
More information about the Freeradius-Users
mailing list