WG: Problem conversion of User-Name
marcus.koestler at polizei.bayern.de
marcus.koestler at polizei.bayern.de
Thu Oct 13 15:58:23 CEST 2005
> Hello,
>
> I have a Problem after converting a User-Name of the Form 27180769 to
> 27180769 at apfelbaum.de.
>
> After radius-server authorized the request i want to convert my user to an
> @-Form to pass it to the rlm_krb5-module for authentication, because we
> have different Kerberos-Realms and the Name 27180769 is probably not
> enough to pick the right Kerberos-Server from krb5.conf.
>
> For this shake my external Programm gives back a value Pair in the Form
> "User-Name := 27180769 at apfelbaum.de", after I feed it with the LDAP-DN
> from the LDAP-request, to pick the right realm.
>
> It seems that the memory allocated for User-Name is not reallocated, so
> vals of other vars were overwritten after the program returns.
>
> here is my debug-output from radiusd -s -xx:
>
> Exec-Program: /usr/local/bin/convert.php
> CN=27180769,CN=Users,DC=apfelbaum,DC=de
> Exec-Program output: User-Name := 27180769 at APFELBAUM.DE
> Exec-Program-Wait: value-pairs: User-Name := 27180769 at APFELBAUM.DE
> Exec-Program: returned: 0
> modcall[authorize]: module "convert_name" returns ok for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'dc=apfelbaum,dc=de'
> radius_xlat:
> '(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> &(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> elbaum,DC=de)))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> with filter
> (|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> (objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> lbaum,DC=de)))
> rlm_ldap::ldap_groupcmp: User found in group
> cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> rlm_ldap: ldap_release_conn: Release Id: 0
> users: Matched entry DEFAULT at line 219
> radius_xlat: 'number=08912124447 direction=outgoing'
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type Kerberos
> auth: type "Kerberos"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_krb5:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> requested realm
> modcall[authenticate]: module "krb5" returns reject for request 0
> modcall: group authenticate returns reject for request 0
> auth: Failed to validate the user.
> Login incorrect:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
> client localhost port 0)
>
>
> a snap from radiusd.conf:
>
>
> exec convert_name {
> wait=yes
> program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
> input_pairs = request
> output_pairs = request
> }
>
> authorize {
> ldap {
> notfound = return
> }
> convert_name
> files
> }
>
> my users-file:
>
> DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
> DIALT := "number=%{reply:DIALT} direction=outgoing",
> PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
> Idle-Timeout = 900,
> Framed-Protocol = PPP,
> User-Service := 2,
> Fall-Through = 0,
> Framed-Netmask := 255.255.255.255
>
> DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
> DIALT := "number=%{reply:DIALT} direction=outgoing",
> PPPT := "callback=ppp_offered blocktime=3",
> Idle-Timeout = 900,
> Framed-Protocol = PPP,
> User-Service := 2,
> Fall-Through = 0,
> Framed-Netmask := 255.255.255.255
>
>
> DEFAULT Auth-Type := Reject
> Reply-Message = "Your account has been disabled."
>
>
> greetings
> Marcus Koestler
> Bayerisches Landeskriminalamt
> SG 343, Netztechnik
More information about the Freeradius-Users
mailing list