radius x509 authentication + LDAP ?
Riccardo.Veraldi at cnaf.infn.it
Fri May 23 08:42:54 CEST 2008
I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name.
the uid is recognized as the parte before the "@" so my real username in
LDAP (which is different)
is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct
username from email address
upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization
to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=city,o=myorg,c=it, with
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: processing type tls
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 11
modcall: group authenticate returns ok for request 11
Login OK: [Riccardo.Veraldi at city.myorg.it] (from client ciscoap3 port
451 cli 001e.5271.e700)
Sending Access-Accept of id 73 to 192.168.252.13:1645
my correct username in LDAP is veraldi
thank you very much
Alan DeKok ha scritto:
> Riccardo Veraldi wrote:
>> After authentication I would like to chack the common name or email
>> address propertires of te certificate againsta LDAP, to authorize the
>> user connection.
> It comes in the User-Name attribute.
>> is it possible to do this ?
>> I tyed but it seems not working in my configuration.
>> any hints ?
> Give us more information?
> Q: Hi, I tried to do stuff, but it didn't work. How do I fix it?
> A: Uh... your guess is as good as mine.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users