Re: Add $ to end of machine account uid

Fri, 06 Jul 2007 10:16:39 -0700

I've about got it, but now I am getting an eap error about the username isn't correct. 

I added this about preprocess:
attr_rewrite add-dollar-sign {
               attribute = User-Name
               searchfor = "^host/(.*)"
               searchin = packet
               new_attribute = no
               replacewith = "%{1}$"
       }

I've added add-dollar-sign to authorize { section.

rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168
       NAS-IP-Address = 10.1.22.11
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 12
       Framed-MTU = 1400
       User-Name = "host/itf-toshiba-asd"
       Calling-Station-Id = "000e35ff2a82"
       Called-Station-Id = "00186ecfa600"
       NAS-Identifier = "ap01.intranet.domain.com"
       EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364
       Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat:  '^host/(.*)'
radius_xlat:  'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' 
 modcall[authorize]: module "add-dollar-sign" returns ok for request 2
 modcall[authorize]: module "preprocess" returns ok for request 2
 modcall[authorize]: module "chap" returns noop for request 2
 modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '\' in User-Name = "itf-toshiba-asd$", looking up realm NULL 
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "DOMAIN" returns noop for request 2
 rlm_eap: EAP packet type response id 1 length 25
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=domain,dc=com'
radius_xlat:  '(uid=itf-toshiba-asd$)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) 
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (&(cn=wireless)(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))) 
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for itf-toshiba-asd$
radius_xlat:  '(uid=itf-toshiba-asd$)'
radius_xlat:  'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) 
rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [W ] & op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value 78389E5DE0CCA3A288568FADB746063D & op=21 
rlm_ldap: looking for reply items in directory...
rlm_ldap: user itf-toshiba-asd$ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
 rlm_eap: Failed in handler
 modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds



[EMAIL PROTECTED] wrote:

Hi,
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. 

use the link on the novell site as per the discussions earlier today.

alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to