rlm_perl changing User-Name and proxy requests

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jan 11 21:32:23 CET 2013


On 11 Jan 2013, at 19:58, Ti Leggett <leggett at mcs.anl.gov> wrote:

> I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it.
> 
> I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP.
> 
> This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request.
> 
> Here's my plan for accomplishing this.
> 
> During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts).

Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*.

Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled.

-Arran

PS: You know you want to test the threaded version of the updated rlm_krb5 module :)

* Only use the rlm_cache module from 2.2.1


More information about the Freeradius-Users mailing list