On 11 Jan 2013, at 19:58, Ti Leggett <[email protected]> wrote: > I have an issue with rlm_perl changing the request User-Name attribute but > the proxy request not honoring it. First I'll describe what I'm trying to > accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 > that has some krb5 realm fixes in it. > > I have multiple realms that users can authenticate against: our division has > replayable password (handled by kerberos) and one time passwords (handled by > both YubiKeys and Crypto Card), our lab has replayable passwords (handled by > AD) and a separate one time password system (handled by Crypto Card). For > services that we want to allow replayable passwords (like IMAP access for > instance), we want to allow the user to choose which service to use (division > or lab). For services requiring OTP we want the user to choose which OTP > token they want to use (some people have multiple because of external > requirements). We want users to be able to change these auth preferences on > their own and not have this require changing the RADIUS configuration > (a.k.a., the users file) to do this. Our account information is kept in LDAP. > > This is all well and good except that usernames between the division and the > lab aren't guaranteed to match - User A might have lastname as their division > name, but lastnamefirst as their lab username. For the kerberos and AD > request the RADIUS server can handle the request directly using rlm_krb5, but > for all the OTP requests the server must proxy to the correct OTP server to > handle the request. > > Here's my plan for accomplishing this. > > During authorization, rlm_ldap is used to make sure if the user is in LDAP. > If not the request is rejected outright (this should help with brute force > attempts bogging down all the servers for bogus attempts).
Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*. Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled. -Arran PS: You know you want to test the threaded version of the updated rlm_krb5 module :) * Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

