On 11 Jan 2013, at 19:58, Ti Leggett <[email protected]> wrote:

> I have an issue with rlm_perl changing the request User-Name attribute but 
> the proxy request not honoring it. First I'll describe what I'm trying to 
> accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 
> that has some krb5 realm fixes in it.
> 
> I have multiple realms that users can authenticate against: our division has 
> replayable password (handled by kerberos) and one time passwords (handled by 
> both YubiKeys and Crypto Card), our lab has replayable passwords (handled by 
> AD) and a separate one time password system (handled by Crypto Card). For 
> services that we want to allow replayable passwords (like IMAP access for 
> instance), we want to allow the user to choose which service to use (division 
> or lab). For services requiring OTP we want the user to choose which OTP 
> token they want to use (some people have multiple because of external 
> requirements). We want users to be able to change these auth preferences on 
> their own and not have this require changing the RADIUS configuration 
> (a.k.a., the users file) to do this. Our account information is kept in LDAP.
> 
> This is all well and good except that usernames between the division and the 
> lab aren't guaranteed to match - User A might have lastname as their division 
> name, but lastnamefirst as their lab username. For the kerberos and AD 
> request the RADIUS server can handle the request directly using rlm_krb5, but 
> for all the OTP requests the server must proxy to the correct OTP server to 
> handle the request.
> 
> Here's my plan for accomplishing this.
> 
> During authorization, rlm_ldap is used to make sure if the user is in LDAP. 
> If not the request is rejected outright (this should help with brute force 
> attempts bogging down all the servers for bogus attempts).

Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to 
cache the result of the LDAP lookup (once you have all this working)*.

Have you added nostrip for all the realms? The only way I can see it clobbering 
username is if stripping is enabled.

-Arran

PS: You know you want to test the threaded version of the updated rlm_krb5 
module :)

* Only use the rlm_cache module from 2.2.1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to