AW: WG: Problem conversion of User-Name

2005-10-13 Thread marcus . koestler 
yes.

-Ursprüngliche Nachricht-
Von: Kenneth Grady [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. Oktober 2005 16:20
An: FreeRadius users mailing list
Betreff: Re: WG: Problem conversion of User-Name


in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...


On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote:
> > Hello,
> > 
> > I have a Problem after converting a User-Name of the Form 27180769 to
> > [EMAIL PROTECTED] 
> > 
> > After radius-server authorized the request i want to convert my user to
an
> > @-Form to pass it to the rlm_krb5-module for authentication, because we
> > have different Kerberos-Realms and the Name 27180769 is probably not
> > enough to pick the right Kerberos-Server from krb5.conf.
> > 
> > For this shake my external Programm gives back a value Pair in the Form
> > "User-Name := [EMAIL PROTECTED]", after I feed it with the LDAP-DN
> > from the LDAP-request, to pick the right realm.
> > 
> > It seems that the memory allocated for User-Name is not reallocated, so
> > vals of other vars were overwritten after the program returns. 
> > 
> > here is my debug-output from radiusd -s -xx:
> > 
> > Exec-Program: /usr/local/bin/convert.php
> > CN=27180769,CN=Users,DC=apfelbaum,DC=de
> > Exec-Program output: User-Name := [EMAIL PROTECTED]
> > Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
> > Exec-Program: returned: 0
> >   modcall[authorize]: module "convert_name" returns ok for request 0
> > rlm_ldap: Entering ldap_groupcmp()
> > radius_xlat:  'dc=apfelbaum,dc=de'
> > radius_xlat:
> >
'(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> >
&(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> > elbaum,DC=de)))'
> > rlm_ldap: ldap_get_conn: Checking Id: 0
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> > with filter
> >
(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> >
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> > lbaum,DC=de)))
> > rlm_ldap::ldap_groupcmp: User found in group
> > cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> > rlm_ldap: ldap_release_conn: Release Id: 0
> > users: Matched entry DEFAULT at line 219
> > radius_xlat:  'number=08912124447 direction=outgoing'
> >   modcall[authorize]: module "files" returns ok for request 0
> > modcall: group authorize returns ok for request 0
> >   rad_check_password:  Found Auth-Type Kerberos
> > auth: type "Kerberos"
> >   Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 0
> > rlm_krb5:
> >
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> > de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> > requested realm
> >   modcall[authenticate]: module "krb5" returns reject for request 0
> > modcall: group authenticate returns reject for request 0
> > auth: Failed to validate the user.
> > Login incorrect:
> > [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670]
(from
> > client localhost port 0)
> > 
> > 
> > a snap from radiusd.conf:
> > 
> > 
> >  exec convert_name {
> > wait=yes
> > program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
> > input_pairs = request
> > output_pairs = request
> > }
> > 
> > authorize {
> > ldap {
> > notfound = return
> > }
> > convert_name
> >  files
> > }
> > 
> > my users-file:
> > 
> > DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> > DIALT := "number=%{reply:DIALT} direction=outgoing",
> > PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
> > Idle-Timeout = 900,
> >     Framed-Protocol = PPP,
> > User-Service := 2,
> > Fall-Through = 0,
> > Framed-Netmask := 255.255.255.255
> > 
> > DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> > Auth-Type:=Kerberos
> > DIALT := "number=%{reply:DIALT} direction=outgoing",
> > PPPT := "callback=ppp_offered blocktime=3",
> > Idle-Timeout = 900,
> > Framed-Protocol = PPP,
> > User-Service := 2,
> > Fall-Through = 0,
> > Framed-Netmask := 255.255.255.255
> > 
> > 
> > DEFAULT Auth-Type := Reject
> > Reply-Message = "Your account has been disabled."
> > 
> > 
> > greetings
> > Marcus Koestler
> > Bayerisches Landeskriminalamt
> > SG 343, Netztechnik
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WG: Problem conversion of User-Name

2005-10-13 Thread marcus . koestler 


> Hello,
> 
> I have a Problem after converting a User-Name of the Form 27180769 to
> [EMAIL PROTECTED] 
> 
> After radius-server authorized the request i want to convert my user to an
> @-Form to pass it to the rlm_krb5-module for authentication, because we
> have different Kerberos-Realms and the Name 27180769 is probably not
> enough to pick the right Kerberos-Server from krb5.conf.
> 
> For this shake my external Programm gives back a value Pair in the Form
> "User-Name := [EMAIL PROTECTED]", after I feed it with the LDAP-DN
> from the LDAP-request, to pick the right realm.
> 
> It seems that the memory allocated for User-Name is not reallocated, so
> vals of other vars were overwritten after the program returns. 
> 
> here is my debug-output from radiusd -s -xx:
> 
> Exec-Program: /usr/local/bin/convert.php
> CN=27180769,CN=Users,DC=apfelbaum,DC=de
> Exec-Program output: User-Name := [EMAIL PROTECTED]
> Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
> Exec-Program: returned: 0
>   modcall[authorize]: module "convert_name" returns ok for request 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=apfelbaum,dc=de'
> radius_xlat:
> '(|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
> &(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
> elbaum,DC=de)))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
> with filter
> (|(&(objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(&
> (objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
> lbaum,DC=de)))
> rlm_ldap::ldap_groupcmp: User found in group
> cn=modemuser,cn=Users,dc=apfelbaum,dc=de
> rlm_ldap: ldap_release_conn: Release Id: 0
> users: Matched entry DEFAULT at line 219
> radius_xlat:  'number=08912124447 direction=outgoing'
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type Kerberos
> auth: type "Kerberos"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_krb5:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
> de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
> requested realm
>   modcall[authenticate]: module "krb5" returns reject for request 0
> modcall: group authenticate returns reject for request 0
> auth: Failed to validate the user.
> Login incorrect:
> [ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
> client localhost port 0)
> 
> 
> a snap from radiusd.conf:
> 
> 
>  exec convert_name {
> wait=yes
> program ="/usr/local/bin/convert.php %{Ldap-UserDn}"
> input_pairs = request
> output_pairs = request
> }
> 
> authorize {
> ldap {
> notfound = return
> }
> convert_name
>  files
> }
> 
> my users-file:
> 
> DEFAULT Ldap-Group == "cn=modemuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
> DIALT := "number=%{reply:DIALT} direction=outgoing",
> PPPT := "callback=ppp_offered blocktime=3 Layer1Protocol=modem",
> Idle-Timeout = 900,
> Framed-Protocol = PPP,
> User-Service := 2,
> Fall-Through = 0,
> Framed-Netmask := 255.255.255.255
> 
> DEFAULT Ldap-Group == "cn=isdnuser,cn=Users,dc=apfelbaum,dc=de",
> Auth-Type:=Kerberos
> DIALT := "number=%{reply:DIALT} direction=outgoing",
> PPPT := "callback=ppp_offered blocktime=3",
> Idle-Timeout = 900,
> Framed-Protocol = PPP,
> User-Service := 2,
> Fall-Through = 0,
> Framed-Netmask := 255.255.255.255
> 
> 
> DEFAULT Auth-Type := Reject
> Reply-Message = "Your account has been disabled."
> 
> 
> greetings
> Marcus Koestler
> Bayerisches Landeskriminalamt
> SG 343, Netztechnik
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html