RE: realm question
Subject: Re: realm question Hi, > Can I strip the "idm/something/" somehow? sure. a simple strip in the config would work... or unlang of course. eg in radiusd.conf attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-junk { attribute = Stripped-User-Name searchfor = "/idm\/something\/" searchin = packet new_attribute = no replacewith = "" } then in sites-enabled/default (or usual server) add copy.user-name remove-junk in the authorize section alongside prefix, suffix, ntrealm etc -- Hi Alan, Thank you for your reply, it worked great with a couple of tweaks. For those trying to implement the same type of idea, the code works great when added to the modules/attr_rewrite module instead of in the radiusd.conf file. In your sites-available/whatever, the order of the processing is important. I have a realm setup to strip off after the @domain, but if the attr_rewrite modules are called before the suffix module, the suffix module will not pass the stripped-user-name that was required in my case, it will pass the whole [EMAIL PROTECTED] as the username. If you place the rewrite modules names after the suffix, everything works great. Cheers, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
Hi, > Can I strip the "idm/something/" somehow? sure. a simple strip in the config would work... or unlang of course. eg in radiusd.conf attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-junk { attribute = Stripped-User-Name searchfor = "/idm\/something\/" searchin = packet new_attribute = no replacewith = "" } then in sites-enabled/default (or usual server) add copy.user-name remove-junk in the authorize section alongside prefix, suffix, ntrealm etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question
Hmmm this might be overly complicated but you could configure realm1 to proxy back to yourself, stripping the realm, then configure each of the other two as local realms? I imagine there must be a nicer way... Alex On 20/08/07, Jeff Crowe <[EMAIL PROTECTED]> wrote: > Hi all, > > Sorry if this question has been answered (I did search the archives and > google to no avail): I have subscribers that connect with 2 realms as the > prefix. How do I strip both and just authenticate locally? > > IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 > will always be present followed by either realm2 or realm3 (no others). > > Thanks, > > Jeff > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
On Tuesday 25 April 2006 01:43, TS wrote: > > What does debugging mode say? > > Exactly what you'd expect it to say if the realm isn't in proxy.conf: > > # > rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, > length=68 User-Name = "[EMAIL PROTECTED]" > User-Password = "acc355" > ... > > The user doesn't exist as the entry in users just has the username as > "user1" and the request is sending [EMAIL PROTECTED] The original users example you posted had the username of "[EMAIL PROTECTED]" with a password of "secret". Here you say the users file has just "user1". Which is correct? > I want radius to first check to see if the request needs to be proxied. It will do this if you have a realm module listed in the authorize section. The suffix realm module is listed in the default config. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Alan's hint to use LOCAL is still correct. If you know the realms people will be using, you can list them in the proxy.conf file. If you want to catch any realm not already defined and send that to local auth, that is pretty easy to accomplish. Please read doc/proxy for a better understanding of how realms work with proxying, and also how the 2 special realms work. If you're still stumped, post back with your questions. Kevin Bonner pgpQo5jKw4rh6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
"TS" <[EMAIL PROTECTED]> wrote: > The object is to not to have to configure any realms as local. That conflicts directly with your requirement to allow users to log in as "user" or "[EMAIL PROTECTED]". > If I have a user whose username is [EMAIL PROTECTED] I can easily specify > arealm.com as local. But if by mistake the user types the username as > [EMAIL PROTECTED] auth will just fail because the realm isn't specified in > proxy.conf. Then you can't use realms. You've got to configure a module to strip out everything after the "@" sign. The 'realms" module, and proxy.conf are meant to deal with known realms. If you want to deal with unknown realms, you have to use something else. > If not then authenticate it locally no matter what the realm is but before > authenticating it strip off the realm and just use everything before the @ > sign as the username. Then configure it to do that, but you can't use realms. You'll have to use another module to re-write the username for the packets that aren't proxied. The simplest thing for you to do might be to create a wildcard realm by modifying rlm_realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realm question..
>> Is there a way of getting radius to authenicate on the username before >>the @ sign and ignore the realm? > Yes, but you have to edit the "users" file to get rid of the >"@realm" portion, and configure the realms as LOCAL ones. The object is to not to have to configure any realms as local. So that Radius will try to auth any realm that isn't to be proxied. If I have a user whose username is [EMAIL PROTECTED] I can easily specify arealm.com as local. But if by mistake the user types the username as [EMAIL PROTECTED] auth will just fail because the realm isn't specified in proxy.conf. > What does debugging mode say? Exactly what you'd expect it to say if the realm isn't in proxy.conf: # rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = "[EMAIL PROTECTED]" User-Password = "acc355" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "arealm.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "arealm.com" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/acc355] (from client localhost port 1645) Delaying request 2 for 1 seconds Finished request 2 ## The user doesn't exist as the entry in users just has the username as "user1" and the request is sending [EMAIL PROTECTED] I want radius to first check to see if the request needs to be proxied. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
"TS" <[EMAIL PROTECTED]> wrote: > Is there a way of getting radius to authenicate on the username before the @ > sign and ignore the realm? Yes, but you have to edit the "users" file to get rid of the "@realm" portion, and configure the realms as LOCAL ones. > Obviously if the realm is one that we proxy then it should be proxied as > such and any that aren't in the proxy.conf file authenticated locally. That's what LOCAL is for. See proxy.conf. > I've tried adding "strip" to the LOCAL entry in proxy.conf and also just > adding the entry: ... > to the radius users file but it won't authenticate. What does debugging mode say? What has to be updated in the documentation to convince people to run the server in debugging mode, and to read the output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
jesk <[EMAIL PROTECTED]> wrote: > am i right, that there is no way to do it? Yes, there is. See the "realms" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
On Thursday 13 May 2004 09:19, jesk wrote: > hi again, > > i got a username with realms like this: realm1/foobar%realm2 > is there a way to use realm2 as proxy realm local and get > realm1 stripped away? > i dont want realm1 for authorizing, authentication and accounting. > > thanks in advance, > christian > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html am i right, that there is no way to do it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html