Re: Problems with User-Name/Stripped-User-Name
Erling Paulsen wrote:
Only that, if there is a 'Stripped-User-Name' attribute in the request, it
seems that the server automatically uses this instead of 'User-Name' when
proxying.
Ah, yes. I didn't know the server does that.
Question for Alan: in src/main/proxy.c should we check the value
of realm.striprealm before overwriting the User-Name with the
Stripped-User-Name?
I fixed it a little dirty by rewriting the stripped username to
the 'Hint' attribute - using %{Hint} in the ldap filter, and then
'User-Name' can be used in all its full glory for EAP proxy to the remote
server.
If I ever must use the Hint attr I will remake a better solution.
You could add an additional attribute at the end of /etc/raddb/dictionnary
for that purpose.
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Nicolas Baradakis [EMAIL PROTECTED] wrote: Question for Alan: in src/main/proxy.c should we check the value of realm.striprealm before overwriting the User-Name with the Stripped-User-Name? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with User-Name/Stripped-User-Name
Hello.
Is it possible to have the stripped username stored somewhere, even
if I set 'nostrip' for a realm in proxy.conf?
My setting is this, and this is the only problem I have left on my server:
01 I have a realm example.com, and this realm has 'nostrip' in it's
definition in proxy.conf
02 If I detect it's an EAP request I proxy it to another realm (in the
users file) and this works great - as '[EMAIL PROTECTED]'.
03 If it's not an EAP request I want the local LDAP module to handle the
request, just that I now need the stripped username, and the realm has
already made it 'nostrip'. Here I want just 'user' instead of
'[EMAIL PROTECTED]'.
If I change the filter in the LDAP module to match on
%{Stripped-User-Name}, then this is offcourse empty. It would be nice to
%have some way to make both User-Name and Stripped-User-Name exist at the
%same time.
If I remove the 'nostrip' from the realm it works for local ldap module
handling but not for proxy to remote server for EAP, because that server
requires the full non-stripped username.
Any hints as to fix this little problem?
- Erling
--
|sig|---
[EMAIL PROTECTED]
Nettseksjonen, ITavd UiT
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Erling Paulsen wrote:
Is it possible to have the stripped username stored somewhere, even
if I set 'nostrip' for a realm in proxy.conf?
You can create the attribute Stripped-User-Name with an other module
than rlm_realm. For example, you could have in radiusd.conf:
modules {
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchin = packet
searchfor =
replacewith = %{User-Name}
}
attr_rewrite strip.user-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = @.*$
replacewith =
max_matches = 1
}
...
}
authorize {
copy.user-name
strip.user-name
...
}
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
