radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Fri May 23 09:23:57 CEST 2008
UNCLASSIFIED
> -----Original Message-----
> From:
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
> Behalf Of Riccardo Veraldi
> Sent: Friday, 23 May 2008 16:43
> To: FreeRadius users mailing list
> Subject: Re: radius x509 authentication + LDAP ?
>
>
> I have this problem.
>
> if I authenticate with EAP-TLS (I am using Max OS X 10.5 as
> supplicant)
>
> my email address is extracted in some way as the user name.
> the uid is recognized as the parte before the "@" so my real
> username in
> LDAP (which is different)
> is not recognized as a valid user.
>
> Neverless I am authenticated anyway.
>
> So I have a doulbe problem
>
> 1) How to check against LDAP correctly, thus extracting my correct
> username from email address
> upon radius authorization request to ldap.
>
> 2) if a user is not found how to drop it, avoiding radius
> authorization
> to take place
>
> rlm_ldap: performing user authorization for Riccardo.Veraldi
> radius_xlat: '(uid=Riccardo.Veraldi)'
> radius_xlat: 'ou=people,o=city,o=myorg,c=it'
> rlm_ldap: ldap_get_conn: Checking Id: 0
Does the string Riccardo.Veraldi exist in another attribute, like CN or
Mail?
If so change your filter:
filter =
"(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it))
"
Provided that the record is located, radius will use the dn of the
record to authenticate.
I don't know why failed ldap lookups aren't rejecting the request. Maybe
you don't have
ldap block in the authenticate section.
Regards,
Frank Ranner
More information about the Freeradius-Users
mailing list