Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: > I'm not sure why you say that my LDAP is not working because in the > second debug output you can see that I find the object and use it's DN > and also extract an attribute from the object. There is no known good > password however because AD doesn't store clear-text passwords. Then you're not really using an LDAP server. See my web page for instructions on getting FreeRADIUS to work with AD: http://deployingradius.com/documents/configuration/active_directory.html > I made this setup so that I could keep things separated. I wanted > everything for that domain to be handled in it's own virtual-server. I > thought that was your idea? Am I misunderstanding virtual-servers? No. But you're PROXYING the tunneled request. Why? The "inner-tunnel" virtual server already handles the tunneled request. > So... is the conclusion that; this is the behaviour of User-Name when > proxied? Follow the instructions in my previous message. DON'T proxy the inner tunnel data. It's that easy. You're ignoring my instructions. You're asking irrelevant questions. You can try to figure out *why* it's going wrong. Or, you can follow instructions and have it work. Which one do you prefer? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Hi,Thanks for your replies...I'm not sure why you say that my LDAP is not working because in the second debug output you can see that I find the object and use it's DN and also extract an attribute from the object. There is no known good password however because AD doesn't store clear-text passwords. The LDAP lookup is not working, however, in the first debug output because I can't use Stripped-User-Name because of nostrip.In the second debug output I removed nostrip but that strips User-Name (See expanded User-Name and Stripped-User-Name).I made this setup so that I could keep things separated. I wanted everything for that domain to be handled in it's own virtual-server. I thought that was your idea? Am I misunderstanding virtual-servers?So... is the conclusion that; this is the behaviour of User-Name when proxied?-freeradius-users-bounces+julius.bess=nyherji...@lists.freeradius.org wrote: ->To: FreeRadius users mailing list>>From: Alan DeKok >Sent by:>freeradius-users-bounces+julius.bess=nyherji...@lists.freeradius.org>Date: 07/03/2013 08:28PM>Subject: Re: Stripped-User-Name not set when using nostrip?>>Phil Mayers wrote: > Have you actually *tried* this, because it>should work. If it doesn't, > it's likely a problem in your local>config.He's *proxying* the request after stripping the User-Name.> That's the immediate source of the issue. If he had just used the>default config, it wouldn't be an issue.And his LDAP lookups>don't return anything. So even fixing the proxying issues won't>help. That has to be fixed, too.Alan DeKok. - List>info/subscribe/unsubscribe? See>http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Phil Mayers wrote: > Have you actually *tried* this, because it should work. If it doesn't, > it's likely a problem in your local config. He's *proxying* the request after stripping the User-Name. That's the immediate source of the issue. If he had just used the default config, it wouldn't be an issue. And his LDAP lookups don't return anything. So even fixing the proxying issues won't help. That has to be fixed, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
On 03/07/2013 18:17, Júlíus Þór Bess Ríkharðsson wrote: On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote: Hi, For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something? Normal. "nostrip" means "don't populate Stripped-User-Name" Phil: When I unset nostrip the User-Name attribute gets stripped. So it made sense to me that nostrip would apply to User-Name but would still give the option of Stripped-User-Name. I don't understand this. The source code is pretty clear: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_realm/rlm_realm.c#L172 The "User-Name" attribute isn't touched; a new Stripped-User-Name attribute is used. As I said, request->username is updated, but I'm pretty sure nothing much uses this; I'm sure the EAP "identity == username" check doesn't: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/modules/rlm_eap/eap.c#L1000 ...explicitly compares to User-Name, not Stripped-User-Name. Have you actually *tried* this, because it should work. If it doesn't, it's likely a problem in your local config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: > Alan: The goal is to be able to use EAP and still be able to authorize user > using LDAP. The objects name is obviously not named realm\user. Yes. Plenty of other people get this to work. > The behaviour is the same for EAP (just longer output :)), I don't get the > option of Stripped-User-Name. And when I unset nostrip; User-Name gets > stripped along with Stripped-User-Name being set and the tunnel doesn't work. You've set the request to be proxied. Why? What's wrong with just processing the request in the inner-tunnel virtual server? i.e. configure raddb/sites-available/inner-tunnel to do LDAP lookups for the user. If you're not sure how the server works, you shouldn't be creating a complicated configuration. > [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with > filter (sAMAccountName=umsja\5ctest.juliusbess) > [ldap-innra.umsja.is] rebind to URL > ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] rebind to URL > ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] object not found > [ldap-innra.umsja.is] search failed So... what is hard to understand about that? > Without nostrip: > [ldap-innra.umsja.is] performing search in DC=innra,DC=umsja,DC=is, with > filter (sAMAccountName=test.juliusbess) > [ldap-innra.umsja.is] rebind to URL > ldap://ForestDnsZones.innra.umsja.is/DC=ForestDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] rebind to URL > ldap://DomainDnsZones.innra.umsja.is/DC=DomainDnsZones,DC=innra,DC=umsja,DC=is > [ldap-innra.umsja.is] looking for check items in directory... > [ldap-innra.umsja.is] extensionAttribute10 -> Jira-Key == "MEF" > [ldap-innra.umsja.is] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that the > user is configured correctly? And that should be useful, too. You've butchered the default configuration. Why? Just... why? - stsrt with the default configuration - ensure that LDAP works for non-EAP - ensure that LDAP works with the inner-tunnel use v2.2.0 for this. Really. Read raddb/sites-available/inner-tunnel - configure the realm as a LOCAL realm. - it WILL WORK. Whatever you've done is four times the work, more complicated, and fragile. And the LDAP lookups aren't working at *all*. So even if you fix the EAP / User-Name issue, the system STILL won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote: Hi, For some reason I cannot get Stripped-User-Name attribute to get populated when using nostrip for a realm. Is this normal behaviour or am I missing something? Normal. "nostrip" means "don't populate Stripped-User-Name" I need the User-Name attribute unchanged for EAP but it gets stripped as expected when nostrip is unset. "strip" on the realm should not change User-Name; it just populates Stripped-User-Name. Also, your debug isn't EAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name not set when using nostrip?
Júlíus Þór Bess Ríkharðsson wrote: > For some reason I cannot get Stripped-User-Name attribute to get > populated when using nostrip for a realm. Is this normal behaviour or am > I missing something? That's how it works. If you don't strip the name, you don't get a stripped name. > I need the User-Name attribute unchanged for EAP but it gets stripped as > expected when nostrip is unset. Then set nostrip. What do you want it to do? You're talking about problems, not about goals. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)
Phil Mayers wrote:
>
>>Unfortunately, when you set nostrip in the config, it doesn't add a
>>Stripped-User-Name attribute to the request, but when you unset it,
>>rlm_realms adds a Stripped-User-Name attribute and also updates the
>>User-Name attribute to the same value.
>
> I am 90% sure that's not what rlm_realm does. We use unlang to process
> realms now, but I am certain we used it with nostrip and it left the
> original User-Name intact and populated Stripped-User-Name.
>
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Jacob Dawson wrote: >Unfortunately, when you set nostrip in the config, it doesn't add a >Stripped-User-Name attribute to the request, but when you unset it, >rlm_realms adds a Stripped-User-Name attribute and also updates the >User-Name attribute to the same value. I am 90% sure that's not what rlm_realm does. We use unlang to process realms now, but I am certain we used it with nostrip and it left the original User-Name intact and populated Stripped-User-Name. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
On 15 Jul 2011, at 02:51, Alan DeKok wrote:
> Jacob Dawson wrote:
>> Further testing suggests that neither of the Perl or Realm modules is
>> applying the Stripped-User-Name in the right scope.
>
> I have no idea what that means. The Stripped-User-Name isn't magic.
> It's just an attribute. If it exists in the request list, you can refer
> to it via %{Stripped-User-Name}
>
> If it's "magically" disappearing, then it's because something in your
> configuration is making it disappear. The default configuration works,
> and doesn't do this.
In the case of the perl module, it was me doing the boneheaded thing of adding
it to RADREPLY and not RADREQUEST. Given that mistake corrected, and that I
got my unlang mangling of the request also functioning properly, I'm making
forward progress again. Thanks to the community for that.
As far as realms goes...I found my error. I commented out a small chunk of
code in rlm_realm.c that I don't think does quite the right thing, but on
further reading, I realize that, while it might not do what I think is quite
the right thing, it still does something important, and that's actually writing
attributes to the request.
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it, rlm_realms
adds a Stripped-User-Name attribute and also updates the User-Name attribute to
the same value. Since I need to perform some authorization checks on the
stripped user name, if I want to do this with realms, I need to unset nostrip,
but if I do that, it rewrites User-Name, and then the wrong username (the
stripped one) gets sent to my AD servers, which reject it. Consequently, I
don't think those three lines do quite the right thing, but I'm leery of
submitting a patch to change that, because it's a noticeable change to the
behavior.
Thanks for making me look it over again.
- Jacob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Jacob Dawson wrote:
> Further testing suggests that neither of the Perl or Realm modules is
> applying the Stripped-User-Name in the right scope.
I have no idea what that means. The Stripped-User-Name isn't magic.
It's just an attribute. If it exists in the request list, you can refer
to it via %{Stripped-User-Name}
If it's "magically" disappearing, then it's because something in your
configuration is making it disappear. The default configuration works,
and doesn't do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Further testing suggests that neither of the Perl or Realm modules is applying
the Stripped-User-Name in the right scope. Perl does that first thing, when a
request comes in, and my output says that as soon as perl is done, it's unset.
Similarly, as soon as the hokies realm module is done applying a stripped
username, it's unset when it returns, as evidenced by the new output below:
(0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson"
(0) HOKIES : Found realm "~HOKIES"
(0) HOKIES : Adding Stripped-User-Name = "dawson"
(0) HOKIES : Adding Realm = "hokies"
(0) HOKIES : Proxying request from user dawson to realm ~HOKIES
(0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES"
(0)[HOKIES] = updated
(0) guest : Request already proxied. Ignoring.
(0)[guest] = ok
(0)? if ("%{User-Name}" =~ /.*/)
(0) expand: %{User-Name} -> hokies\dawson
(0) ? Evaluating ("%{User-Name}" =~ /.*/) -> TRUE
(0)? if ("%{User-Name}" =~ /.*/) -> TRUE
(0) if ("%{User-Name}" =~ /.*/) {
(0)- entering if ("%{User-Name}" =~ /.*/) {...}
(0) - if ("%{User-Name}" =~ /.*/) = notfound
(0)- if ("%{User-Name}" !~ /^.*\/.*$/) returns notfound
(0)? if ("%{Stripped-User-Name}" =~ /.*/)
(0) expand: %{Stripped-User-Name} ->
(0) ? Evaluating ("%{Stripped-User-Name}" =~ /.*/) -> TRUE
(0)? if ("%{Stripped-User-Name}" =~ /.*/) -> TRUE
(0) if ("%{Stripped-User-Name}" =~ /.*/) {
(0)- entering if ("%{Stripped-User-Name}" =~ /.*/) {...}
(0) - if ("%{Stripped-User-Name}" =~ /.*/) = notfound
(0)- if ("%{User-Name}" !~ /^.*\/.*$/) returns notfound
(0) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
Am I missing something, and just have something blindingly obvious
misconfigured, or is it misbehaving? The only way I've successfully written
the Stripped-User-Name attribute onto the Access-Request has been in unlang
itself with a static string, as I was unable to get the regexp parsing to play
nice.
-Jacob
On 14 Jul 2011, at 13:31, Jacob Dawson wrote:
> So I played with my copy of the code to change what nostrip being unset means
> (now, it writes the Stripped-User-Name attribute, but no longer rewrites the
> User-Name attribute with the stripped username), and I'm still running into
> problems:
> (0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson"
> (0) HOKIES : Found realm "~HOKIES"
> (0) HOKIES : Adding Stripped-User-Name = "dawson"
> (0) HOKIES : Adding Realm = "hokies"
> (0) HOKIES : Proxying request from user dawson to realm ~HOKIES
> (0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES"
> (0)[HOKIES] = updated
> (0) guest : Request already proxied. Ignoring.
> (0)[guest] = ok
> (0) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
> (0)... skipping elsif for request 0: Preceding "if" was taken
> (0) eap : Request is supposed to be proxied to Realm ~HOKIES. Not doing EAP.
> (0) [eap] = noop
> (0) sql : expand: %{Stripped-User-Name} ->
> (0) sql : sql_set_user escaped user --> ''
>
> There at the end, what's ending up in the sql module just does NOT have
> Stripped-User-Name set, and that's driving me batty. The only way I've ever
> had that working was to manually, in unlang, set it to a fixed string
> (Stripped-User-Name := dawson).
>
> Any ideas what's causing this difficulty?
>
> -Jacob
>
>
> On 14 Jul 2011, at 08:49, Jacob Dawson wrote:
>
>>
>> On 14 Jul 2011, at 03:42, Alexander Clouter wrote:
>>
>>> In article <795d5ee4-7536-431e-926a-98e70efa1...@vt.edu> you wrote:
>>> Although to prevent down the road severe levels of pain when enabling
>>> eduroam you should be using something like 'daw...@hokies.vt.edu', could
>>> you not just use 'ntdomain' (a built in module that will do this for
>>> you)? 'ntdomain' should create Realm and Stripped-User-Name in the
>>> manner you want.
>> Are you suggesting that using a prefix domain like that will cause problems,
>> or that I should be using the realms module?
>> I have no problem with using the module, as it's worked well for the
>> proxying side of things, but I need to be able to authorize the users on our
>> domain, and that means I need to get a stripped username and pass it to the
>> DB. I'll poke at it and see if I can get that side working.
>>
>>>
>>> I was going to ask why you were not doing the perl stuff in unlang. :)
>>>
>> It seemed like a good idea at the time.
>>
(1)? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/)
(1) expand: %{User-Name} -> hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section
>>> looks thus:
elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){
update request{
Stripped-User-Name := "%{$`}"
}
}
>>> $' and $` is a perlism. You want something like (look at policy.conf
>>>
Re: Stripped-User-Name
Kenneth Grady <[EMAIL PROTECTED]> wrote: > rlm_ldap: performing user authorization for klg > radius_xlat: > '(&(objectClass=posixAccount)(description=remote)(uid=klg))' This appears to be OK. Earlier, you said: > > > > filter = "([EMAIL PROTECTED])". > > > > > > > > But, I got "@aliasdomain" only. It really stripped the full username. Can you explain the discrepancy? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
radiusd.conf
...
group {
redundant {
...
fail = 1
}
suffix
...
notfound = return
}
files
radiusd -X
...
Exec-Program-Wait: plaintext: Reply-Message = "Remove (@lanl.gov)" from
username ([EMAIL PROTECTED])
Exec-Program: returned: 0
modcall[authorize]: module "ip_check" returns ok for request 6
rlm_realm: Looking up realm "lanl.gov" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "lanl.gov"
rlm_realm: Adding Stripped-User-Name = "klg"
rlm_realm: Proxying request from user klg to realm lanl.gov
rlm_realm: Adding Realm = "lanl.gov"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
modcall: entering group redundant for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for klg
radius_xlat:
'(&(objectClass=posixAccount)(description=remote)(uid=klg))'
radius_xlat: 'dc=lanl,dc=gov'
...
with radiusd.conf
...
#suffix
...
Exec-Program-Wait: plaintext: Reply-Message = "Remove (@lanl.gov)" from
username ([EMAIL PROTECTED])
Exec-Program: returned: 0
modcall[authorize]: module "ip_check" returns ok for request 6
modcall: entering group redundant for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat:
'(&(objectClass=posixAccount)(description=remote)([EMAIL PROTECTED]))'
radius_xlat: 'dc=lanl,dc=gov'
rlm_ldap: ldap_get_conn: Checking Id: 0
...
On Wed, 2005-03-16 at 11:48, Kevin Jeoung wrote:
> > > Can "Stripped-User-Name" be used for ldap authorization and pap
> > > authentication?
> >
> > If it exists, yes.
> >
> When does it exist? I used "suffix" in radiusd.conf but
> "[EMAIL PROTECTED]" became "@myds.com".
>
> > > filter = "([EMAIL PROTECTED])".
> > >
> > > But, I got "@aliasdomain" only. It really stripped the full username.
> >
> > If there's no Stripped-User-Name attribute, no, it didn't strip the
> >full username.
> >
> Again, when does this attribute exist? I set suffix and dictionary
> correctly.
>
> Kevin
> > Alan DeKok.
> >
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
> _
> Is your PC infected? Get a FREE online computer virus scan from McAfee
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
"Kevin Jeoung" <[EMAIL PROTECTED]> wrote: > When does it exist? I used "suffix" in radiusd.conf but > "[EMAIL PROTECTED]" became "@myds.com". The Stripped-User-Name is added by the "realms" module, and it says this in debug mode. > Again, when does this attribute exist? I set suffix and dictionary > correctly. As always, run the server in debugging mode and read the output. If you see Stripped-User-Name, then your question is answered. If not, then the server isn't configured to create Stripped-User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
Stripped-User-Name is created either by using realms or in the hints
file used by the preprocess module.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Kevin Jeoung wrote:
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
I already did so.
Kevin
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
> Can "Stripped-User-Name" be used for ldap authorization and pap
> authentication?
> What I want to do is something like
>
> filter = "([EMAIL PROTECTED])".
>
> But, I got "@aliasdomain" only. It really stripped the full username.
>
> Thanks in advance.
> Kevin
>
> _
> Dont just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
I already did so.
Kevin
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
> Can "Stripped-User-Name" be used for ldap authorization and pap
> authentication?
> What I want to do is something like
>
> filter = "([EMAIL PROTECTED])".
>
> But, I got "@aliasdomain" only. It really stripped the full username.
>
> Thanks in advance.
> Kevin
>
> _
> Dont just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
> Can "Stripped-User-Name" be used for ldap authorization and pap > authentication? If it exists, yes. When does it exist? I used "suffix" in radiusd.conf but "[EMAIL PROTECTED]" became "@myds.com". > filter = "([EMAIL PROTECTED])". > > But, I got "@aliasdomain" only. It really stripped the full username. If there's no Stripped-User-Name attribute, no, it didn't strip the full username. Again, when does this attribute exist? I set suffix and dictionary correctly. Kevin Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
You didn't get a Stripped-User-Name. You need in the radiusd.conf
authorize {
...
suffix
files
...
On Wed, 2005-03-16 at 11:02, Kevin Jeoung wrote:
> Can "Stripped-User-Name" be used for ldap authorization and pap
> authentication?
> What I want to do is something like
>
> filter = "([EMAIL PROTECTED])".
>
> But, I got "@aliasdomain" only. It really stripped the full username.
>
> Thanks in advance.
> Kevin
>
> _
> Dont just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name
"Kevin Jeoung" <[EMAIL PROTECTED]> wrote: > Can "Stripped-User-Name" be used for ldap authorization and pap > authentication? If it exists, yes. > filter = "([EMAIL PROTECTED])". > > But, I got "@aliasdomain" only. It really stripped the full username. If there's no Stripped-User-Name attribute, no, it didn't strip the full username. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
