LDAP and realms

Mitchell, Michael J Michael.Mitchell at team.telstra.com
Fri May 19 08:19:34 CEST 2006 

Hi Corey,
 
You don't have debug output for the "username without realm", but I
suspect what is happening is the Sripped-User-Name attribute is not
being added, because the username doesn't need to be stripped!
 
You can try:
 
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 
Which will use Stripped-User-Name if it is present, otherwise User-Name.
 
cheers,
Mike
 


________________________________

	From:
freeradius-users-bounces+michael.mitchell=team.telstra.com at lists.freerad
ius.org
[mailto:freeradius-users-bounces+michael.mitchell=team.telstra.com at lists
.freeradius.org] On Behalf Of Corey Burks
	Sent: Friday, 19 May 2006 4:02 PM
	To: freeradius-users at lists.freeradius.org
	Subject: LDAP and realms
	
	

	We have 2 clients authenticating user one passes simply the uid
(cburks) and users authenticate properly.

	The other client is passing username and realm
(cburks at zhone.com), which fails.  I have configured zhone.com realm in
the proxy.conf file like this:

	realm zhone.com {

	        type            = radius

	        authhost        = LOCAL

	        accthost        = LOCAL

	}

	 

	Radiusd.conf file has the following in the ldap section.

	filter = "(uid=%u)"  Which works for username only and username
+ realm does not work

	if I switch to:

	filter = "(uid=%{Stripped-User-Name})"  username + realm works
and username alone fails.

	 

	Is there a way different way to strip off the realm, so I can
have both ways working?

	Thanks

	Corey

	 

	 

	When I run radiusd in debug I see that the realm is getting
stripped but the username and relam are still being passed to LDAP.

	Debug output:

	rad_recv: Access-Request packet from host 172.16.15.251:2502,
id=20, length=80

	        User-Name = "cburks at zhone.com"

	        User-Password = "password"

	        Vendor-3076-Attr-32 = 0x00000004

	        NAS-IP-Address = 172.16.15.251

	        NAS-Port-Type = Virtual

	  Processing the authorize section of radiusd.conf

	modcall: entering group authorize for request 0

	  modcall[authorize]: module "preprocess" returns ok for request
0

	  modcall[authorize]: module "chap" returns noop for request 0

	  modcall[authorize]: module "mschap" returns noop for request 0

	    rlm_realm: Looking up realm "zhone.com" for User-Name =
"cburks at zhone.com"

	    rlm_realm: Found realm "zhone.com"

	    rlm_realm: Adding Stripped-User-Name = "cburks"

	    rlm_realm: Proxying request from user cburks to realm
zhone.com

	    rlm_realm: Adding Realm = "zhone.com"

	    rlm_realm: Authentication realm is LOCAL.

	  modcall[authorize]: module "suffix" returns noop for request 0

	  rlm_eap: No EAP-Message, not doing EAP

	  modcall[authorize]: module "eap" returns noop for request 0

	    users: Matched entry DEFAULT at line 270

	  modcall[authorize]: module "files" returns ok for request 0

	rlm_ldap: - authorize

	rlm_ldap: performing user authorization for cburks

	radius_xlat:  '(uid=cburks at zhone.com)'

	radius_xlat:  'ou=people,o=oak.zhone.com,o=zhone.com'

	rlm_ldap: ldap_get_conn: Checking Id: 0

	rlm_ldap: ldap_get_conn: Got Id: 0

	rlm_ldap: attempting LDAP reconnection

	rlm_ldap: (re)connect to newldap.oak.zhone.com:389,
authentication 0

	rlm_ldap: bind as
uid=radius,o=oak.zhone.com,o=zhone.com/password to newlda

	p.oak.zhone.com:389

	rlm_ldap: waiting for bind result ...

	rlm_ldap: Bind was successful

	rlm_ldap: performing search in
ou=people,o=oak.zhone.com,o=zhone.com, with filte

	r (uid=cburks at zhone.com)

	rlm_ldap: object not found or got ambiguous search result

	rlm_ldap: search failed

	rlm_ldap: ldap_release_conn: Release Id: 0

	  modcall[authorize]: module "ldap" returns notfound for request
0

	modcall: leaving group authorize (returns ok) for request 0

	  rad_check_password:  Found Auth-Type ldap

	auth: type "LDAP"

	  Processing the authenticate section of radiusd.conf

	modcall: entering group LDAP for request 0

	rlm_ldap: - authenticate

	rlm_ldap: login attempt by "cburks" with password "password"

	radius_xlat:  '(uid=cburks at zhone.com)'

	radius_xlat:  'ou=people,o=oak.zhone.com,o=zhone.com'

	rlm_ldap: ldap_get_conn: Checking Id: 0

	rlm_ldap: ldap_get_conn: Got Id: 0

	rlm_ldap: performing search in
ou=people,o=oak.zhone.com,o=zhone.com, with filte

	r (uid=cburks at zhone.com)

	rlm_ldap: object not found or got ambiguous search result

	rlm_ldap: ldap_release_conn: Release Id: 0

	  modcall[authenticate]: module "ldap" returns notfound for
request 0

	modcall: leaving group LDAP (returns notfound) for request 0

	auth: Failed to validate the user.

	Login incorrect (rlm_ldap: User not found):
[cburks at zhone.com/password] (from cl

	ient zw2-vpn1 port 0)

	Delaying request 0 for 1 seconds

	Finished request 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060519/59c6a176/attachment.html>

More information about the Freeradius-Users mailing list