Stripped-User-Name not set when using nostrip?

Alan DeKok aland at deployingradius.com
Wed Jul 3 21:05:37 CEST 2013 

Júlíus Þór Bess Ríkharðsson wrote:
> Alan: The goal is to be able to use EAP and still be able to authorize user using LDAP. The objects name is obviously not named realm\user.

  Yes.  Plenty of other people get this to work.

> The behaviour is the same for EAP (just longer output :)), I don't get the option of Stripped-User-Name. And when I unset nostrip; User-Name gets stripped along with Stripped-User-Name being set and the tunnel doesn't work.

  You've set the request to be proxied.  Why?  What's wrong with just
processing the request in the inner-tunnel virtual server?

  i.e. configure raddb/sites-available/inner-tunnel to do LDAP lookups
for the user.

  If you're not sure how the server works, you shouldn't be creating a
complicated configuration.

>   [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=umsja\5ctest.juliusbess)
>   [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is
>   [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is
>   [ldap-innra.umsja.is] object not found
> [ldap-innra.umsja.is] search failed

   So... what is hard to understand about that?

> Without nostrip:

>   [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with filter (sAMAccountName=test.juliusbess)
>   [ldap-innra.umsja.is] rebind to URL ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is
>   [ldap-innra.umsja.is] rebind to URL ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is
> [ldap-innra.umsja.is] looking for check items in directory...
>   [ldap-innra.umsja.is] extensionAttribute10 -> Jira-Key == "MEF"
> [ldap-innra.umsja.is] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

  And that should be useful, too.

  You've butchered the default configuration.  Why?  Just... why?

- stsrt with the default configuration

- ensure that LDAP works for non-EAP

- ensure that LDAP works with the inner-tunnel
  use v2.2.0 for this.  Really.  Read raddb/sites-available/inner-tunnel

- configure the realm as a LOCAL realm.

- it WILL WORK.

  Whatever you've done is four times the work, more complicated, and
fragile.

  And the LDAP lookups aren't working at *all*.  So even if you fix the
EAP / User-Name issue, the system STILL won't work.

  Alan DeKok.

More information about the Freeradius-Users mailing list