I have this problem.
if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
my email address is extracted in some way as the user name.
the uid is recognized as the parte before the "@" so my real username in
LDAP (which is different)
is not recognized as a valid user.
Neverless I am authenticated anyway.
So I have a doulbe problem
1) How to check against LDAP correctly, thus extracting my correct
username from email address
upon radius authorization request to ldap.
2) if a user is not found how to drop it, avoiding radius authorization
to take place
rlm_ldap: performing user authorization for Riccardo.Veraldi
radius_xlat: '(uid=Riccardo.Veraldi)'
radius_xlat: 'ou=people,o=city,o=myorg,c=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=city,o=myorg,c=it, with
filter (uid=Riccardo.Veraldi)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 11
modcall: group authenticate returns ok for request 11
Login OK: [EMAIL PROTECTED] (from client ciscoap3 port
451 cli 001e.5271.e700)
Sending Access-Accept of id 73 to 192.168.252.13:1645
my correct username in LDAP is veraldi
thank you very much
Riccardo
Alan DeKok ha scritto:
Riccardo Veraldi wrote:
After authentication I would like to chack the common name or email
address propertires of te certificate againsta LDAP, to authorize the
user connection.
It comes in the User-Name attribute.
is it possible to do this ?
I tyed but it seems not working in my configuration.
any hints ?
Give us more information?
Q: Hi, I tried to do stuff, but it didn't work. How do I fix it?
A: Uh... your guess is as good as mine.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
