Júlíus Þór Bess Ríkharðsson wrote: > Alan: The goal is to be able to use EAP and still be able to authorize user > using LDAP. The objects name is obviously not named realm\user.
Yes. Plenty of other people get this to work. > The behaviour is the same for EAP (just longer output :)), I don't get the > option of Stripped-User-Name. And when I unset nostrip; User-Name gets > stripped along with Stripped-User-Name being set and the tunnel doesn't work. You've set the request to be proxied. Why? What's wrong with just processing the request in the inner-tunnel virtual server? i.e. configure raddb/sites-available/inner-tunnel to do LDAP lookups for the user. If you're not sure how the server works, you shouldn't be creating a complicated configuration. > [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with > filter (sAMAccountName=umsja\5ctest.juliusbess) > [ldap-innra.umsja.is] rebind to URL > ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] rebind to URL > ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] object not found > [ldap-innra.umsja.is] search failed So... what is hard to understand about that? > Without nostrip: > [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with > filter (sAMAccountName=test.juliusbess) > [ldap-innra.umsja.is] rebind to URL > ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] rebind to URL > ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] looking for check items in directory... > [ldap-innra.umsja.is] extensionAttribute10 -> Jira-Key == "MEF" > [ldap-innra.umsja.is] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that the > user is configured correctly? And that should be useful, too. You've butchered the default configuration. Why? Just... why? - stsrt with the default configuration - ensure that LDAP works for non-EAP - ensure that LDAP works with the inner-tunnel use v2.2.0 for this. Really. Read raddb/sites-available/inner-tunnel - configure the realm as a LOCAL realm. - it WILL WORK. Whatever you've done is four times the work, more complicated, and fragile. And the LDAP lookups aren't working at *all*. So even if you fix the EAP / User-Name issue, the system STILL won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html