AW: WG: Problem conversion of User-Name
marcus.koestler at polizei.bayern.de
marcus.koestler at polizei.bayern.de
Thu Oct 13 16:19:18 CEST 2005
yes.
-----Ursprüngliche Nachricht-----
Von: Kenneth Grady [mailto:klg at lanl.gov]
Gesendet: Donnerstag, 13. Oktober 2005 16:20
An: FreeRadius users mailing list
Betreff: Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...
On Thu, 2005-10-13 at 07:58, marcus.koestler at polizei.bayern.de wrote:
> > Hello,
> >
> > I have a Problem after converting a User-Name of the Form 27180769 to
> > 27180769 at apfelbaum.de.
> >
> > After radius-server authorized the request i want to convert my user to
an
> > @-Form to pass it to the rlm_krb5-module for authentication, because we
> > have different Kerberos-Realms and the Name 27180769 is probably not
> > enough to pick the right Kerberos-Server from krb5.conf.
> >
> > For this shake my external Programm gives back a value Pair in the Form
> > "User-Name := 27180769 at apfelbaum.de", after I feed it with the LDAP-DN
> > from the LDAP-request, to pick the right realm.
> >
> > It seems that the memory allocated for User-Name is not reallocated, so
> > vals of other vars were overwritten after the program returns.
> >
> > here is my debug-output from radiusd -s -xx:
> >
> > Exec-Program: /usr/local/bin/convert.php
> > CN=27180769,CN=Users,DC=apfelbaum,DC=de
> > Exec-Program output: User-Name := 27180769 at APFELBAUM.DE
> > Exec-Program-Wait: value-pairs: User-Name := 27180769 at APFELBAUM.DE
> > Exec-Program: returned: 0
> > modcall[authorize]: module "convert_name" returns ok for request 0
> > rlm_ldap: Entering ldap_groupcmp()
> > radius_xlat: 'dc=apfelbaum,dc=de'
> > radius_xlat:
> >
'(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> >
&(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> > elbaum,DC=de)))'
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> > with filter
> >
(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> >
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> > lbaum,DC=de)))
> > rlm_ldap::ldap_groupcmp: User found in group
> > cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> > rlm_ldap: ldap_release_conn: Release Id: 0
> > users: Matched entry DEFAULT at line 219
> > radius_xlat: 'number=08912124447 direction=outgoing'
> > modcall[authorize]: module "files" returns ok for request 0
> > modcall: group authorize returns ok for request 0
> > rad_check_password: Found Auth-Type Kerberos
> > auth: type "Kerberos"
> > Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 0
> > rlm_krb5:
> >
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> > de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> > requested realm
> > modcall[authenticate]: module "krb5" returns reject for request 0
> > modcall: group authenticate returns reject for request 0
> > auth: Failed to validate the user.
> > Login incorrect:
> > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670]
(from
> > client localhost port 0)
> >
> >
> > a snap from radiusd.conf:
> >
> >
> > exec convert_name {
> > wait=yes
> > program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
> > input_pairs = request
> > output_pairs = request
> > }
> >
> > authorize {
> > ldap {
> > notfound = return
> > }
> > convert_name
> > files
> > }
> >
> > my users-file:
> >
> > DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> > DIALT := "number=%{reply:DIALT} direction=outgoing",
> > PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
> > Idle-Timeout = 900,
> > Framed-Protocol = PPP,
> > User-Service := 2,
> > Fall-Through = 0,
> > Framed-Netmask := 255.255.255.255
> >
> > DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> > DIALT := "number=%{reply:DIALT} direction=outgoing",
> > PPPT := "callback=ppp_offered blocktime=3",
> > Idle-Timeout = 900,
> > Framed-Protocol = PPP,
> > User-Service := 2,
> > Fall-Through = 0,
> > Framed-Netmask := 255.255.255.255
> >
> >
> > DEFAULT Auth-Type := Reject
> > Reply-Message = "Your account has been disabled."
> >
> >
> > greetings
> > Marcus Koestler
> > Bayerisches Landeskriminalamt
> > SG 343, Netztechnik
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list