LDAP and realms

Corey Burks cburks at zhone.com
Fri May 19 16:10:09 CEST 2006


That worked, thank you for your help

Corey

 

  _____  

From: freeradius-users-bounces+cburks=zhone.com at lists.freeradius.org
[mailto:freeradius-users-bounces+cburks=zhone.com at lists.freeradius.org] On
Behalf Of Mitchell, Michael J
Sent: Thursday, May 18, 2006 11:20 PM
To: FreeRadius users mailing list
Subject: RE: LDAP and realms

 

Hi Corey,

 

You don't have debug output for the "username without realm", but I suspect
what is happening is the Sripped-User-Name attribute is not being added,
because the username doesn't need to be stripped!

 

You can try:

 

filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

 

Which will use Stripped-User-Name if it is present, otherwise User-Name.

 

cheers,

Mike

 

 


  _____  


From:
freeradius-users-bounces+michael.mitchell=team.telstra.com at lists.freeradius.
org
[mailto:freeradius-users-bounces+michael.mitchell=team.telstra.com at lists.fre
eradius.org] On Behalf Of Corey Burks
Sent: Friday, 19 May 2006 4:02 PM
To: freeradius-users at lists.freeradius.org
Subject: LDAP and realms

We have 2 clients authenticating user one passes simply the uid (cburks) and
users authenticate properly.

The other client is passing username and realm (cburks at zhone.com), which
fails.  I have configured zhone.com realm in the proxy.conf file like this:

realm zhone.com {

        type            = radius

        authhost        = LOCAL

        accthost        = LOCAL

}

 

Radiusd.conf file has the following in the ldap section.

filter = "(uid=%u)"  Which works for username only and username + realm does
not work

if I switch to:

filter = "(uid=%{Stripped-User-Name})"  username + realm works and username
alone fails.

 

Is there a way different way to strip off the realm, so I can have both ways
working?

Thanks

Corey

 

 

When I run radiusd in debug I see that the realm is getting stripped but the
username and relam are still being passed to LDAP.

Debug output:

rad_recv: Access-Request packet from host 172.16.15.251:2502, id=20,
length=80

        User-Name = "cburks at zhone.com"

        User-Password = "password"

        Vendor-3076-Attr-32 = 0x00000004

        NAS-IP-Address = 172.16.15.251

        NAS-Port-Type = Virtual

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  modcall[authorize]: module "mschap" returns noop for request 0

    rlm_realm: Looking up realm "zhone.com" for User-Name =
"cburks at zhone.com"

    rlm_realm: Found realm "zhone.com"

    rlm_realm: Adding Stripped-User-Name = "cburks"

    rlm_realm: Proxying request from user cburks to realm zhone.com

    rlm_realm: Adding Realm = "zhone.com"

    rlm_realm: Authentication realm is LOCAL.

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 0

    users: Matched entry DEFAULT at line 270

  modcall[authorize]: module "files" returns ok for request 0

rlm_ldap: - authorize

rlm_ldap: performing user authorization for cburks

radius_xlat:  '(uid=cburks at zhone.com)'

radius_xlat:  'ou=people,o=oak.zhone.com,o=zhone.com'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: attempting LDAP reconnection

rlm_ldap: (re)connect to newldap.oak.zhone.com:389, authentication 0

rlm_ldap: bind as uid=radius,o=oak.zhone.com,o=zhone.com/password to newlda

p.oak.zhone.com:389

rlm_ldap: waiting for bind result ...

rlm_ldap: Bind was successful

rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with
filte

r (uid=cburks at zhone.com)

rlm_ldap: object not found or got ambiguous search result

rlm_ldap: search failed

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authorize]: module "ldap" returns notfound for request 0

modcall: leaving group authorize (returns ok) for request 0

  rad_check_password:  Found Auth-Type ldap

auth: type "LDAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group LDAP for request 0

rlm_ldap: - authenticate

rlm_ldap: login attempt by "cburks" with password "password"

radius_xlat:  '(uid=cburks at zhone.com)'

radius_xlat:  'ou=people,o=oak.zhone.com,o=zhone.com'

rlm_ldap: ldap_get_conn: Checking Id: 0

rlm_ldap: ldap_get_conn: Got Id: 0

rlm_ldap: performing search in ou=people,o=oak.zhone.com,o=zhone.com, with
filte

r (uid=cburks at zhone.com)

rlm_ldap: object not found or got ambiguous search result

rlm_ldap: ldap_release_conn: Release Id: 0

  modcall[authenticate]: module "ldap" returns notfound for request 0

modcall: leaving group LDAP (returns notfound) for request 0

auth: Failed to validate the user.

Login incorrect (rlm_ldap: User not found): [cburks at zhone.com/password]
(from cl

ient zw2-vpn1 port 0)

Delaying request 0 for 1 seconds

Finished request 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060519/13e2e587/attachment.html>


More information about the Freeradius-Users mailing list