WG: Problem conversion of User-Name
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...
On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote:
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670] (from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: WG: Problem conversion of User-Name
yes.
-Ursprüngliche Nachricht-
Von: Kenneth Grady [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 13. Oktober 2005 16:20
An: FreeRadius users mailing list
Betreff: Re: WG: Problem conversion of User-Name
in your /etc/krb5.conf do you have
...
[realms]
apfelbaum.de ={
kdc = kerberos...
On Thu, 2005-10-13 at 07:58, [EMAIL PROTECTED] wrote:
Hello,
I have a Problem after converting a User-Name of the Form 27180769 to
[EMAIL PROTECTED]
After radius-server authorized the request i want to convert my user to
an
@-Form to pass it to the rlm_krb5-module for authentication, because we
have different Kerberos-Realms and the Name 27180769 is probably not
enough to pick the right Kerberos-Server from krb5.conf.
For this shake my external Programm gives back a value Pair in the Form
User-Name := [EMAIL PROTECTED], after I feed it with the LDAP-DN
from the LDAP-request, to pick the right realm.
It seems that the memory allocated for User-Name is not reallocated, so
vals of other vars were overwritten after the program returns.
here is my debug-output from radiusd -s -xx:
Exec-Program: /usr/local/bin/convert.php
CN=27180769,CN=Users,DC=apfelbaum,DC=de
Exec-Program output: User-Name := [EMAIL PROTECTED]
Exec-Program-Wait: value-pairs: User-Name := [EMAIL PROTECTED]
Exec-Program: returned: 0
modcall[authorize]: module convert_name returns ok for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=apfelbaum,dc=de'
radius_xlat:
'(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apf
elbaum,DC=de)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
with filter
(|((objectClass=Group)(member=CN=27180769,CN=Users,DC=apfelbaum,DC=de))(
(objectClass=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfe
lbaum,DC=de)))
rlm_ldap::ldap_groupcmp: User found in group
cn=modemuser,cn=Users,dc=apfelbaum,dc=de
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 219
radius_xlat: 'number=08912124447 direction=outgoing'
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Kerberos
auth: type Kerberos
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_krb5:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users,DC=apfelbaum,DC=
de)`] krb5_g_i_t_w_p failed: Cannot resolve network address for KDC in
requested realm
modcall[authenticate]: module krb5 returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect:
[ss=GroupOfUniqueNames)(uniquemember=CN=27180769,CN=Users/ROrt9670]
(from
client localhost port 0)
a snap from radiusd.conf:
exec convert_name {
wait=yes
program =/usr/local/bin/convert.php %{Ldap-UserDn}
input_pairs = request
output_pairs = request
}
authorize {
ldap {
notfound = return
}
convert_name
files
}
my users-file:
DEFAULT Ldap-Group == cn=modemuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3 Layer1Protocol=modem,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Ldap-Group == cn=isdnuser,cn=Users,dc=apfelbaum,dc=de,
Auth-Type:=Kerberos
DIALT := number=%{reply:DIALT} direction=outgoing,
PPPT := callback=ppp_offered blocktime=3,
Idle-Timeout = 900,
Framed-Protocol = PPP,
User-Service := 2,
Fall-Through = 0,
Framed-Netmask := 255.255.255.255
DEFAULT Auth-Type := Reject
Reply-Message = Your account has been disabled.
greetings
Marcus Koestler
Bayerisches Landeskriminalamt
SG 343, Netztechnik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
