Unable to authenticate to 10.5.4 open directory

Thomas von Eyben thomasvoneyben at gmail.com
Tue Sep 2 01:08:30 CEST 2008 

I have now done a lot of debugging with my OS X Server + Open
Directory Users setup:

Using an Apple Access Point AND using Apple's Server Admin management
tool to configure radiusd I am able to authenticate to Open Directory
users BUT only when I provide my shortname without the realm/domain
name.
EG Authenticating as user "u1" works, but authenticating as user
"u1 at voneyben.net" does not work.

I now know that it IS possible to authenticate towards OD :)
Unfortunately I am unable to figure out how to change the
configuration to solve my problem authenticating users like
"u1 at voneyben.net"

A complete debug is available here:
http://voneyben.net/radius/auth-u1-ok.txt
http://voneyben.net/radius/auth-u1@voneyben.net-bad.txt

When authenticating ("u1") is done correctly this part looks interesting:
    rlm_realm: No '@' in User-Name = "u1", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "u1"
    rlm_realm: Proxying request from user u1 to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.

When authenticating (u1 at voneyben.net) is going bad this part looks interesting:
 modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: Looking up realm "voneyben.net" for User-Name = "u1 at voneyben.net"
    rlm_realm: Found realm "voneyben.net"
    rlm_realm: Adding Stripped-User-Name = "u1"
    rlm_realm: Proxying request from user u1 to realm voneyben.net
    rlm_realm: Adding Realm = "voneyben.net"
    rlm_realm: Authentication realm is LOCAL.


So how do I modify proxy.conf to get the "u1 at voneyben.net" to be
handled the same way as "u1", meaning to get Apple's Open Directory to
do it's thing :)

Currently the realm in proxy.conf looks like this:
realm voneyben.net {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}

The complete config files are available here;
http://voneyben.net/radius/proxy.conf
http://voneyben.net/radius/radiusd.conf
http://voneyben.net/radius/eap.conf

And - to save a lot of scrolling  - without the comments:
http://voneyben.net/radius/proxy-no-comments.conf
http://voneyben.net/radius/radiusd-no-comments.conf
http://voneyben.net/radius/eap-no-comments.conf

- TvE

More information about the Freeradius-Users mailing list