radius x509 authentication + LDAP ?

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Fri May 23 08:42:54 CEST 2008

I have this problem.

if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)

my email address is extracted in some way as the user name.
the uid is recognized as the parte before the "@" so my real username in 
LDAP (which is different)
is not recognized as a valid user.

Neverless I am authenticated anyway.

So I have a doulbe problem

1) How to check against LDAP correctly, thus extracting my correct 
username from email address
upon radius authorization request to ldap.

2) if a user is not found how to drop it, avoiding radius authorization 
to take place

rlm_ldap: performing user authorization for Riccardo.Veraldi
radius_xlat:  '(uid=Riccardo.Veraldi)'
radius_xlat:  'ou=people,o=city,o=myorg,c=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=city,o=myorg,c=it, with 
filter (uid=Riccardo.Veraldi)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 11
modcall: group authorize returns updated for request 11
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 11
modcall: group authenticate returns ok for request 11
Login OK: [Riccardo.Veraldi at city.myorg.it] (from client ciscoap3 port 
451 cli 001e.5271.e700)
Sending Access-Accept of id 73 to

my correct username in LDAP is veraldi

thank you very much


Alan DeKok ha scritto:
> Riccardo Veraldi wrote:
>> After authentication I would like to chack the common name or email
>> address propertires of te certificate againsta LDAP, to authorize the
>> user connection.
>   It comes in the User-Name attribute.
>> is it possible to do this ?
>> I tyed but it seems not working in my configuration.
>> any hints ?
>   Give us more information?
> Q: Hi, I tried to do stuff, but it didn't work.  How do I fix it?
> A: Uh... your guess is as good as mine.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list