Yedidia Klein wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to
an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in
the form of [EMAIL PROTECTED], that (of course) my ldap don't know and
refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left
site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap section on
radiusd.conf w/o success.
Two ways:
1. Use /etc/raddb/hints to rewrite the packet, e.g.
DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$"
User-Name := `%{1}`
# or maybe
DEFAULT Suffix = "@domain.tld", Strip-User-Name = Yes
Hint = "FromTheIsp"
2. Use the proxy/realm feature - see the various "realm" module
definitions in radiusd.conf and the realm definitions in proxy.conf.
Basically:
modules {
realm suffix {
format = suffix
delimiter = "@"
ignore_default = yes
ignore_null = yes
}
}
authorize {
preprocess
suffix
ldap
# other stuff
}
...then in proxy.conf:
realm domain.tld {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
Method 1. is simpler and probably best for this situation. Method 2. is
really intended for when you make requests to another server, as opposed
to when they make them to you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
