removing domain data from user name
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 13 14:42:21 CEST 2006
Yedidia Klein wrote:
> Hello list,
>
>
> I'm using freeradius server as a radius server that forward the auth to
> an LDAP server,
>
> on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
>
> I want one of my service providers to authenticate against this radius,
>
> After enabling some debug option I found that it sends me the users in
> the form of user at domain.tld, that (of course) my ldap don't know and
> refuse to auth.
>
> Is there a way on freeradius to pass to the ldap server only the left
> site of the @ sign ?
>
>
> I tried to use "with_ntdomain_hack = yes" in my ldap section on
> radiusd.conf w/o success.
Two ways:
1. Use /etc/raddb/hints to rewrite the packet, e.g.
DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$"
User-Name := `%{1}`
# or maybe
DEFAULT Suffix = "@domain.tld", Strip-User-Name = Yes
Hint = "FromTheIsp"
2. Use the proxy/realm feature - see the various "realm" module
definitions in radiusd.conf and the realm definitions in proxy.conf.
Basically:
modules {
realm suffix {
format = suffix
delimiter = "@"
ignore_default = yes
ignore_null = yes
}
}
authorize {
preprocess
suffix
ldap
# other stuff
}
...then in proxy.conf:
realm domain.tld {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
Method 1. is simpler and probably best for this situation. Method 2. is
really intended for when you make requests to another server, as opposed
to when they make them to you.
More information about the Freeradius-Users
mailing list