yes. -----Ursprüngliche Nachricht----- Von: Kenneth Grady [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 13. Oktober 2005 16:20 An: FreeRadius users mailing list Betreff: Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have ... [realms] apfelbaum.de ={ kdc = kerberos... On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote: > > Hello, > > > > I have a Problem after converting a User-Name of the Form 27180769 to > > [EMAIL PROTECTED] > > > > After radius-server authorized the request i want to convert my user to an > > @-Form to pass it to the rlm_krb5-module for authentication, because we > > have different Kerberos-Realms and the Name 27180769 is probably not > > enough to pick the right Kerberos-Server from krb5.conf. > > > > For this shake my external Programm gives back a value Pair in the Form > > "User-Name := [EMAIL PROTECTED]", after I feed it with the LDAP-DN > > from the LDAP-request, to pick the right realm. > > > > It seems that the memory allocated for User-Name is not reallocated, so > > vals of other vars were overwritten after the program returns. > > > > here is my debug-output from radiusd -s -xx: > > > > Exec-Program: /usr/local/bin/convert.php > > CN=27180769,CN=Users,DC=apfelbaum,DC=de > > Exec-Program output: User-Name := [EMAIL PROTECTED] > > Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED] > > Exec-Program: returned: 0 > > modcall[authorize]: module "convert_name" returns ok for request 0 > > rlm_ldap: Entering ldap_groupcmp() > > radius_xlat: 'dc=apfelbaum,dc=de' > > radius_xlat: > > '(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))( > > &(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf > > elbaum,DC=de)))' > > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de, > > with filter > > (|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(& > > (objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe > > lbaum,DC=de))) > > rlm_ldap::ldap_groupcmp: User found in group > > cn=modemuser,cn=Users,dc=apfelbaum,dc=de > > rlm_ldap: ldap_release_conn: Release Id: 0 > > users: Matched entry DEFAULT at line 219 > > radius_xlat: 'number=08912124447 direction=outgoing' > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > rad_check_password: Found Auth-Type Kerberos > > auth: type "Kerberos" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 0 > > rlm_krb5: > > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC= > > de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in > > requested realm > > modcall[authenticate]: module "krb5" returns reject for request 0 > > modcall: group authenticate returns reject for request 0 > > auth: Failed to validate the user. > > Login incorrect: > > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from > > client localhost port 0) > > > > > > a snap from radiusd.conf: > > > > > > exec convert_name { > > wait=yes > > program ="/usr/local/bin/convert.php %{Ldap-UserDn}" > > input_pairs = request > > output_pairs = request > > } > > > > authorize { > > ldap { > > notfound = return > > } > > convert_name > > files > > } > > > > my users-file: > > > > DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de", > > Auth-Type:=Kerberos > > DIALT := "number=%{reply:DIALT} direction=outgoing", > > PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem", > > Idle-Timeout = 900, > > Framed-Protocol = PPP, > > User-Service := 2, > > Fall-Through = 0, > > Framed-Netmask := 255.255.255.255 > > > > DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de", > > Auth-Type:=Kerberos > > DIALT := "number=%{reply:DIALT} direction=outgoing", > > PPPT := "callback=ppp_offered blocktime=3", > > Idle-Timeout = 900, > > Framed-Protocol = PPP, > > User-Service := 2, > > Fall-Through = 0, > > Framed-Netmask := 255.255.255.255 > > > > > > DEFAULT Auth-Type := Reject > > Reply-Message = "Your account has been disabled." > > > > > > greetings > > Marcus Koestler > > Bayerisches Landeskriminalamt > > SG 343, Netztechnik > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html