Removing domain prefix from login

Alejandro Gandara agandara at optaresolutions.com
Thu Nov 10 17:53:27 CET 2011 

2011/11/10 Phil Mayers <p.mayers at imperial.ac.uk>

> Ok, your debug says:
>
> rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
> length=218
>        Framed-MTU = 1480
>        NAS-IP-Address = 172.20.40.11
>        NAS-Identifier = "SW-Priv-1-1"
>
>        User-Name = "OPTARE\\brouco"
> <snip>
> # Executing section authorize from file /etc/freeradius/sites-enabled/**
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
>
> Why is preprocess returning "ok".
>
this is preprocess
preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints

        # This hack changes Ascend's wierd port numberings
        # to standard 0-??? port numbers so that the "+" works
        # for IP address assignments.
        with_ascend_hack = no
        ascend_channels_per_line = 23

        # Windows NT machines often authenticate themselves as
        # NT_DOMAIN\username
        #
        # If this is set to 'yes', then the NT_DOMAIN portion
        # of the user-name is silently discarded.
        #
        # This configuration entry SHOULD NOT be used.
        # See the "realms" module for a better way to handle
        # NT domains.
        with_ntdomain_hack = yes

        # Specialix Jetstream 8500 24 port access server.
        #
        # If the user name is 10 characters or longer, a "/"
        # and the excess characters after the 10th are
        # appended to the user name.
        #
        # If you're not running that NAS, you don't need
        # this hack.
        with_specialix_jetstream_hack = no

        # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
        # with the attribute name *again* in the string, like:
        #
        #   H323-Attribute = "h323-attribute=value".
        #
        # If this configuration item is set to 'yes', then
        # the redundant data in the the attribute text is stripped
        # out.  The result is:
        #
        #  H323-Attribute = "value"
        #
        # If you're not running a Cisco or Quintum NAS, you don't


 }

>
> What are you doing in the hints module?
>
> Are you modifying the username field? A few lines later it says:
>
> [ldap]  expand: %{User-Name} -> brouco
>
>
> If you're modifying the username, you can't do that. It will break EAP,
> which is why it says:
>
> [eap] Identity does not match User-Name, setting from EAP Identity.
>
> ...then fails.
>
> I assume you want to strip "DOMAIN\" so that you can do LDAP? You CANNOT
> modify the User-Name field. You MUST used the Stripped-User-Name field, and
> leave the User-Name field alone.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111110/825908bf/attachment.html>

More information about the Freeradius-Users mailing list