Trying to remove a suffix
Brett Littrell
Blittrell at musd.org
Fri Sep 9 20:09:16 CEST 2011
Hi All,
Guess I spoke to soon. I was using radtest and that worked great when I went to an actual workstation it was a different story. I am getting the old "[eap] Identity does not match User-Name, setting from EAP Identity." From reading through the archives it looks like this has been an issue in the past. So far it is mostly solved with the mschap call which I do not think will work with the .y2012 issue.
I am still researching this part but if anyone has an ideas of where I may find a solution or an idea to fix it I would appreciate the short cut:)
Thanks
Brett Littrell
Network Manager
Milpitas Unified School District
blittrell at musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
>>> On Friday, September 09, 2011 at 10:23 AM, in message <4E69E939020000690003F8E4 at InternetEmail.musd.org>, "Brett Littrell" <Blittrell at musd.org> wrote:
Hi All,
NM, you know I have been working on this for the last two days, I post here and no more the 30 minutes later I have a breakthrough.. Guess that is how it always works.
Found a good ref on the FreeRadius site on the hints and started messing with that and came up with
DEFAULT User-Name =~ "^([^.]+)", Strip-User-Name = yes
User-Name := "%{1}"
Thanks anyway!!..
Brett Littrell
Network Manager
Milpitas Unified School District
blittrell at musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
>>> On Friday, September 09, 2011 at 9:22 AM, in message <4E69DAC9020000690003F8C5 at InternetEmail.musd.org>, "Brett Littrell" <Blittrell at musd.org> wrote:
Hi All,
I hate to post this here, I am sure there is a fairly simple thing to do this but I have been looking and can't seem to find how to do it.
So we have users that typically login with a relative context. So there is a base context set to say ou=HS1.o=students, then they type in their name with a relative context, so it may be jsmith.y2012, with our network it sends to the server jsmith.y2012.hs1.students and logs in just fine. The problem we are having is that freeradius is getting the jsmith.y2012 as the username and trying to send that to ldap that first does not understand "." and second the ldap side is a flattened tree to speed up lookups so there is no sub-context.
So the solution would seem to be to strip everything after the '.' so "jsmith.y2012" becomes just "jsmith". So I have been approaching it from this side and have tried using hints and attr_rewrite to do it. I am sure I missed something in each of them because it seems either should work, especially after reading a lot of the archived threads. So this is what I have done so far:
created a "relative_username" module and placed it in /etc/raddb/modules directory. Contents are :
attr_rewrite relative_username{
attribute = User-Name
searchin = packet
searchfor = ".y2012"
replacewith = ""
ignore_case = yes
max_matches = 1
append = no
}
This is just for testing, I originally tried a regex expression of "searchfor =~ "^\w*" and "searchfor = "^\w*" but the unlang equal for regex poped with an error and the regual = I do not think recognized regex so I assumed that meant the regex was not supported in this module. Anyway, I have been testing the rewrite with a literal for a specific user to just see if it will work and does not seem to work.
From here I call the relative_username in the /etc/raddb/sites_enabled/Radsite file in the Authorize section
authorize {
relative_username
With this everything loads find and running radiusd -X I see that it is still trying to send the info to the LDAP server as jsmith.y2012 and of course it is failing.
So on the hints side I was a little unsure of how it worked so I tried :
DEFAULT User-Name =~ "^\w+"
User-Name := "%{1}"
That also did not seem to have an affect.
So I am sure I am either barking up the wrong tree with both of these approaches or I am missing something in here. I should also mention, if I do not use the relative context the users authenticates just fine all is good in the world, it is just that darn trailing .y2012 that is the issue.
Sorry ahead of time if this is really a stupid question, I am still learning freeradius (which I think is awesome)...
So the debug log is below but it basically shows a object not found.
rad_recv: Access-Request packet from host 10.2.2.100 port 36360, id=239, length=65
User-Name = "jsmith.y2012"
User-Password = "123454"
NAS-IP-Address = 10.2.2.100
NAS-Port = 1813
+- entering group authorize {...}
[preprocess] expand: %{User-Name} -> jsmith.y2012
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "jsmith.y2012", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for jsmith.y2012
[ldap] expand: (cn=%{mschap:User-Name:-%{User-Name}}) -> (cn=jsmith.y2012)
[ldap] expand: o=musd -> o=musd
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.###.###.###:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder2.b64
rlm_ldap: bind as cn=#######,ou=Radius,o=servers/######### to 10.###.###.###:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=musd, with filter (cn=jsmith.y2012)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> jsmith.y2012
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 239 to 10.2.2.100 port 36360
Waking up in 4.9 seconds.
Cleaning up request 0 ID 239 with timestamp +10
Ready to process requests.
Brett Littrell
Network Manager
Milpitas Unified School District
blittrell at musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110909/c28db8b9/attachment.html>
More information about the Freeradius-Users
mailing list