rlm_ldap not populating Stripped-User-Name

Arnab Roy arnabroy at mail.com
Tue Jan 3 19:26:01 CET 2017


   Please ignore this resolved the issue. Somehow I had managed to move
   the call to suffix after the ldap call in the authorization section of
   the config. Arggh!! Apologies..

   Sent: Tuesday, January 03, 2017 at 5:52 PM
   From: "Arnab Roy" <arnabroy at mail.com>
   To: freeradius-users at lists.freeradius.org
   Subject: rlm_ldap not populating Stripped-User-Name
   Hi ,
   Just wondering if one of you could help me with a strange issue that
   has suddenly appeared.
   Freeradius Version: 3.0.11
   It looks like rlm_ldap has suddenly stopped picking up the
   Stripped-User-Name value, my config looks like bellow
   user {
   filter =
   "(samAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
   scope = "sub"
   base_dn = "dc=domain,dc=com"
   access_positive = yes
   }
   All was working fine with this server for a while. The same filter is
   working fine in other modules like mschap and ntlm_auth. The exapnsion
   of the filter returns no value for the Stripped-User-Name parameter.
   Here is the grepd version of radiusd -X
   Any points where I could start looking would be much appreciated as to
   why it suddenly stopped.
   # Loaded module rlm_ldap
   # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
   ldap {
   server = "172.20.0.40"
   port = 389
   identity = "bindaccount"
   password = <<< secret >>>
   sasl {
   }
   user {
   scope = "sub"
   access_positive = yes
   sasl {
   }
   }
   group {
   scope = "base"
   name_attribute = "cn"
   membership_attribute = "memberOf"
   membership_filter =
   "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
   cacheable_name = yes
   cacheable_dn = yes
   }
   client {
   scope = "sub"
   base_dn = ""
   }
   profile {
   }
   options {
   ldap_debug = 0
   chase_referrals = no
   rebind = no
   net_timeout = 10
   res_timeout = 10
   srv_timelimit = 1
   idle = 60
   probes = 3
   interval = 3
   }
   tls {
   start_tls = no
   }
   }
   Creating attribute LDAP-Group
   # Loaded module rlm_mschap
   # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
   mschap {
   use_mppe = yes
   require_encryption = yes
   require_strong = yes
   with_ntdomain_hack = no
   ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
   --username=%{%{Stripped-User-Name}:-%{User-Name}}
   --domain=%{%{mschap:NT-Domain}:-removed.com}
   --challenge=%{mschap:Challenge:-00}
   --nt-response=%{mschap:NT-Response:-00}"
   passchange {
   }
   --
   # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
   rlm_ldap: libldap vendor: OpenLDAP, version: 20444
   accounting {
   reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
   reference = "."
   }
   rlm_ldap (ldap): Initialising connection pool
   pool {
   start = 5
   min = 3
   max = 10
   spare = 20
   uses = 0
   lifetime = 0
   cleanup_interval = 30
   idle_timeout = 0
   retry_delay = 30
   spread = no
   }
   Do let me know if you would like to see some additional configuration
   files.
   Many Thanks
   Arnab
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list