removing domain data from user name

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 13 14:42:21 CEST 2006


Yedidia Klein wrote:
> Hello list,
> 
> 
> I'm using freeradius server as a radius server that forward the auth to 
> an LDAP server,
> 
> on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
> 
> I want one of my service providers to authenticate against this radius,
> 
> After enabling some debug option I found that it sends me the users in 
> the form of user at domain.tld, that (of course) my ldap don't know and 
> refuse to auth.
> 
> Is there a way on freeradius to pass to the ldap server only the left 
> site of the @ sign ?
> 
> 
> I tried to use "with_ntdomain_hack = yes" in my ldap section on 
> radiusd.conf  w/o success.

Two ways:

  1. Use /etc/raddb/hints to rewrite the packet, e.g.

DEFAULT	NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$"
	User-Name := `%{1}`

# or maybe
DEFAULT	Suffix = "@domain.tld", Strip-User-Name = Yes
	Hint = "FromTheIsp"

  2. Use the proxy/realm feature - see the various "realm" module 
definitions in radiusd.conf and the realm definitions in proxy.conf. 
Basically:

modules {
   realm suffix {
     format = suffix
     delimiter = "@"
     ignore_default = yes
     ignore_null = yes
   }
}
authorize {
   preprocess
   suffix
   ldap
   # other stuff
}

...then in proxy.conf:

realm domain.tld {
   type = radius
   authhost = LOCAL
   accthost = LOCAL
   strip
}



Method 1. is simpler and probably best for this situation. Method 2. is 
really intended for when you make requests to another server, as opposed 
to when they make them to you.



More information about the Freeradius-Users mailing list