rlm_ldap not populating Stripped-User-Name

Arnab Roy arnabroy at mail.com
Tue Jan 3 18:52:15 CET 2017 

   Hi ,

   Just wondering if one of you could help me with a strange issue that
   has suddenly appeared.
   Freeradius Version: 3.0.11
   It looks like rlm_ldap has suddenly stopped picking up the
   Stripped-User-Name value, my config looks like bellow

    user {
           filter =
   "(samAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
           scope = "sub"
           base_dn = "dc=domain,dc=com"
           access_positive = yes
      }

   All was working fine with this server for a while. The same filter is
   working fine in other modules like mschap and ntlm_auth. The exapnsion
   of the filter returns no value for the Stripped-User-Name parameter.

   Here is the grepd version of radiusd -X

   Any points where I could start looking would be much appreciated as to
   why it suddenly stopped.
     # Loaded module rlm_ldap
     # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
     ldap {
           server = "172.20.0.40"
           port = 389
           identity = "bindaccount"
           password = <<< secret >>>
      sasl {
      }
      user {
           scope = "sub"
           access_positive = yes
       sasl {
       }
      }
      group {
           scope = "base"
           name_attribute = "cn"
           membership_attribute = "memberOf"
           membership_filter =
   "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
           cacheable_name = yes
           cacheable_dn = yes
      }
      client {
           scope = "sub"
           base_dn = ""
      }
      profile {
      }
      options {
           ldap_debug = 0
           chase_referrals = no
           rebind = no
           net_timeout = 10
           res_timeout = 10
           srv_timelimit = 1
           idle = 60
           probes = 3
           interval = 3
      }
      tls {
           start_tls = no
      }
     }
   Creating attribute LDAP-Group
     # Loaded module rlm_mschap
     # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
     mschap {
           use_mppe = yes
           require_encryption = yes
           require_strong = yes
           with_ntdomain_hack = no
           ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
   --username=%{%{Stripped-User-Name}:-%{User-Name}}
   --domain=%{%{mschap:NT-Domain}:-removed.com}
   --challenge=%{mschap:Challenge:-00}
   --nt-response=%{mschap:NT-Response:-00}"
      passchange {
      }
   --
     # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
   rlm_ldap: libldap vendor: OpenLDAP, version: 20444
      accounting {
           reference = "%{tolower:type.%{Acct-Status-Type}}"
      }
      post-auth {
           reference = "."
      }
   rlm_ldap (ldap): Initialising connection pool
      pool {
           start = 5
           min = 3
           max = 10
           spare = 20
           uses = 0
           lifetime = 0
           cleanup_interval = 30
           idle_timeout = 0
           retry_delay = 30
           spread = no
      }

   Do let me know if you would like to see some additional configuration
   files.

   Many Thanks
   Arnab

More information about the Freeradius-Users mailing list