At 04:55 PM 11/14/2002 -0500, [EMAIL PROTECTED] wrote:
On Thu, Nov 14, 2002 at 04:37:05PM -0500, [EMAIL PROTECTED] wrote:
> On Thu, Nov 14, 2002 at 03:16:05PM -0600, Chris Parker wrote:
> > At 04:07 PM 11/14/2002 -0500, [EMAIL PROTECTED] wrote:
> > >Folks,
> > > I have just picked up another dialup provider, and I'm running into
> > >a problem. My first providers proxies strip the realm before they
> > >pass it to me. The new one does not, and the users don't get authenticated.
> > >I can't figure out how or if freeradius can strip the realm if it's part
> > >of the username. Any pointers?
> >
> > Do you have the 'realm' setup in the 'proxy.conf' with a LOCAL target?
>
> Yup.
>
> > This will allow FreeRADIUS to recognize and remove the 'realm' and
> > properly use the "stripped" username when looking up the user.
>
> Doesn't seem to work. Running in -X mode didn't seem to give any
> indication.
Just in case I'm missing something (most likely), here is some output:
from radtest:
radtest [EMAIL PROTECTED] mypass buoy.com 0 mysecret^M
Sending Access-Request of id 60 to 208.162.111.111:1645^M
User-Name = "[EMAIL PROTECTED]"^M
User-Password = "E"4\1*;\2V3B\007\034\350"^M
NAS-IP-Address = users^M
NAS-Port = 0^M
rad_recv: Access-Request packet from host 208.162.111.111:55708, id=60, length=64^M
from radiusd -X
modcall: entering group authorize^M
hints: Matched DEFAULT at 64^M
modcall[authorize]: module "preprocess" returns ok^M
What is in your 'hints' file? Let me guess, you have some @buoy.com stuff there?
rlm_realm: No '@' in User-Name = "tps", looking up realm NULL^M
rlm_realm: No such realm NULL^M
modcall[authorize]: module "suffix" returns noop^M
Okay, the request hit the realm module without a realm, so this of course won't do anything.
users: Matched DEFAULT at 145^M
users: Matched DEFAULT at 164^M
users: Matched DEFAULT at 185^M
modcall[authorize]: module "files" returns ok^M
modcall: group authorize returns ok^M
rad_check_password: Found Auth-Type Ldap^M
auth: type "LDAP"^M
modcall: entering group authenticate^M
rlm_ldap: - authenticate^M
rlm_ldap: login attempt by "tps" with password "mypass"^M
radius_xlat: '([EMAIL PROTECTED])'^M
radius_xlat: 'dc=buoy,dc=com'^M
ldap_get_conn: Got Id: 0^M
rlm_ldap: attempting LDAP reconnection^M
rlm_ldap: (re)connect to ldap.buoy.com:389, authentication 0^M
rlm_ldap: bind as / to ldap.buoy.com:389^M
rlm_ldap: waiting for bind result ...^M
rlm_ldap: performing search in dc=buoy,dc=com, with filter ([EMAIL PROTECTED])^M
rlm_ldap: object not found or got ambiguous search result^M
ldap_release_conn: Release Id: 0^M
modcall[authenticate]: module "ldap" returns notfound^M
modcall: group authenticate returns notfound^M
auth: Failed to validate the user.^M
It is not able to find it in your LDAP store. You need to debug that, not the server.
My guess is you have something in your "hints" file telling it toNotice that rlm_realm doesn't see the '@' in the username, but it gets unstripped to rlm_ldap
mangle the User-Name and strip off '@buoy.com'. Don't do that. Let
the Realm module do it's work.
Also, you may want to see previous posts on the list on how to tell
LDAP to use the Stripped-User-Name ( created by the realm module )
if it exists ( to handle '[EMAIL PROTECTED]' ) or User-Name if it doesn't
( to handle 'tps' ).
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
