Re: problems with hints file
Ok Phil. That works fine, thanks.
I had to enable with_ntdomain_hack too.
2006/5/5, Phil Mayers <[EMAIL PROTECTED]>:
wekz wrote:
> Hi all,
>
> I use freeradius1.1.1 + ldap. And peap or eap-tls for authorization.
>
> I've been trying to use hints.file for changing the User-Name. When a
> laptop user which is in a domain tries to do a peap authentication,
> windows sends a User-Name that follows this pattern (at least the ones
> I've seen):
>
> DOMAIN\5c\5cLOGIN
>
> I'm trying to catch up the LOGIN name so the radius can perform a search
> in ldap.
>
> I've modify hints.file including this line:
>
> DEFAULT User-Name =~ "^([^\\]+)\\5c\\5c([^\\]+)"
> User-Name := "%{2}"
I assume you didn't mean "5c" but the body of your mail appears to have
been corrupted along the way.
>
>
> The problem is that this rule matches but it changes the User-Name for
> an empty string.
I believe that should be:
DEFAULT User-Name =~ "^([^\\]+)([^\\]+)"
User-Name = `%{2}`
HOWEVER - you should almost certainly be using the "realm" module to do
this. The default config has "realm ntdomain {" ...config lines defined.
If you put this in "authorize" like so:
authorize {
preprocess
ntdomain
# other modules
}
...then add this in proxy.conf:
realm MYDOMAIN {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
...you can then use the following in e.g. the ldap config:
ldap {
# other config
# NOTE: the expansion means "Stripped-User-Name OR User-Name"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# other config
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with hints file
wekz wrote:
Hi all,
I use freeradius1.1.1 + ldap. And peap or eap-tls for authorization.
I've been trying to use hints.file for changing the User-Name. When a
laptop user which is in a domain tries to do a peap authentication,
windows sends a User-Name that follows this pattern (at least the ones
I've seen):
DOMAIN\5c\5cLOGIN
I'm trying to catch up the LOGIN name so the radius can perform a search
in ldap.
I've modify hints.file including this line:
DEFAULT User-Name =~ "^([^\\]+)\\5c\\5c([^\\]+)"
User-Name := "%{2}"
I assume you didn't mean "5c" but the body of your mail appears to have
been corrupted along the way.
The problem is that this rule matches but it changes the User-Name for
an empty string.
I believe that should be:
DEFAULT User-Name =~ "^([^\\]+)([^\\]+)"
User-Name = `%{2}`
HOWEVER - you should almost certainly be using the "realm" module to do
this. The default config has "realm ntdomain {" ...config lines defined.
If you put this in "authorize" like so:
authorize {
preprocess
ntdomain
# other modules
}
...then add this in proxy.conf:
realm MYDOMAIN {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
...you can then use the following in e.g. the ldap config:
ldap {
# other config
# NOTE: the expansion means "Stripped-User-Name OR User-Name"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
# other config
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with hints file
Hi all, I use freeradius1.1.1 + ldap. And peap or eap-tls for authorization.I've been trying to use hints.file for changing the User-Name. When a laptop user which is in a domain tries to do a peap authentication, windows sends a User-Name that follows this pattern (at least the ones I've seen):
DOMAIN\5c\5cLOGINI'm trying to catch up the LOGIN name so the radius can perform a search in ldap.I've modify hints.file including this line:
DEFAULT User-Name =~ "^([^\\]+)\\5c\\5c([^\\]+)" User-Name := "%{2}"The problem is that this rule matches but it changes the User-Name for an empty string.
If I put a string instead of %{2} it does change it right. DEFAULT User-Name =~ "^([^\\]+)\\5c\\5c([^\\]+)" User-Name := "JOHNDOE"
I don't know if that is a bug or if there's something I'm doing wrong and didn't realize. ¿?Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with hints file when i use freeradius-1.0.1
Hello, I want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. Begining of my hints file: sergk Strip-User-Name = No Hint := "admin" It matches only username "sergk" with freeradius-0.8.1. But it matches any username with freeradius-1.0.1. Is it bug or feature ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
Hello,
i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1.
My hints file:
DEFAULT Prefix == "t", Strip-User-Name = No
Hint = "TUM"
It works with freeradius-0.8.1, the username leaves unstripped.
With freeradius-1.0.1 the username is always be stripped, why?
Maybe i made a Syntax-Error?
i got a "nightly CVS snapshot" and this works how i supposed
(with the syntax above). But now i has problems with eap.
So i made a dirty source-patch for 1.0.1.
Delete the function presufcmp in .../src/main/valuepair.c and
copy this one in (from freeradius-snapshot-20050111/src/modules/
rlm_expr/paircmp.c):
static int presufcmp(void *instance,
REQUEST *req UNUSED,
VALUE_PAIR *request, VALUE_PAIR *check,
VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
{
VALUE_PAIR *vp;
char *name = (char *)request->strvalue;
char rest[MAX_STRING_LEN];
int len, namelen;
int ret = -1;
instance = instance;
reply_pairs = reply_pairs; /* shut the compiler up */
#if 0 /* DEBUG */
printf("Comparing %s and %s, check->attr is %d\n",
name, check->strvalue, check->attribute);
#endif
len = strlen((char *)check->strvalue);
switch (check->attribute) {
case PW_PREFIX:
ret = strncmp(name, (char *)check->strvalue, len);
if (ret == 0 && rest)
strcpy(rest, name + len);
break;
case PW_SUFFIX:
namelen = strlen(name);
if (namelen < len)
break;
ret = strcmp(name + namelen - len,
(char *)check->strvalue);
if (ret == 0 && rest) {
strNcpy(rest, name, namelen - len + 1);
}
break;
}
if (ret != 0)
return ret;
/*
* If Strip-User-Name == No, then don't do any more.
*/
vp = pairfind(check_pairs, PW_STRIP_USER_NAME);
if (vp && !vp->lvalue) return ret;
/*
* See where to put the stripped user name.
*/
vp = pairfind(check_pairs, PW_STRIPPED_USER_NAME);
if (!vp) {
vp = paircreate(PW_STRIPPED_USER_NAME, PW_TYPE_STRING);
if (!vp) return ret; /* no memory, do anything? */
pairadd(&request, vp);
}
strcpy((char *)vp->strvalue, rest);
vp->length = strlen(rest);
return ret;
}
regards
Helmut Troebs
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Perhaps this helps: http://lists.cistron.nl/pipermail/freeradius-users/2004-February/027993.html perhaps the whole thread. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB27/hqndXpO3Yl5sRAhrFAJwNmMfgm4mNXtuDhrwwNjOrXkiFfwCdGk4Z NIQ3i8lWGm60UOUVcvro5xQ= =PWb8 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
Am Dienstag, 4. Januar 2005 08:56 schrieb Helmut Tröbs: Hello, i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. My hints file: DEFAULT Prefix == "t", Strip-User-Name = No Hint = "TUM" DEFAULT Prefix = "t", Strip-User-Name = No Hint = "TUM" nur mit einem "=" nach "Prefix"? Thank you for the answer, but Prefix == "t" is correct, when i try only one "=" i get the message Invalid operator for item Prefix: reverting to '==' in debug output. When i try to use N instead of No: DEFAULT Prefix == "t", Strip-User-Name = N Hint = "TUM" The Debug output looks better, but the proxied user-name is still wrong. rad_recv: Access-Request packet from host x.x.x.x:32770, id=171, length=56 User-Name = "test" User-Password = "x" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 48 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm "NULL" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 178 users: Matched DEFAULT at 385 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.156.10.42:1812 User-Name = "est" User-Password = "x" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x313731 Any idea? regards Helmut Troebs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with hints file when i use freeradius-1.0.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Dienstag, 4. Januar 2005 08:56 schrieb Helmut Tröbs: > Hello, > > i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. > My hints file: > > DEFAULT Prefix == "t", Strip-User-Name = No > Hint = "TUM" DEFAULT Prefix = "t", Strip-User-Name = No Hint = "TUM" nur mit einem "=" nach "Prefix"? MfG, - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB2uwSqndXpO3Yl5sRAtgPAJ9ac+7vtkWGIl5kI4G3E1zGeXGPHwCdED9O NJMHUU9ovtH32uLh2IP2UmE= =SzqN -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with hints file when i use freeradius-1.0.1
Hello, i want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. My hints file: DEFAULT Prefix == "t", Strip-User-Name = No Hint = "TUM" It works with freeradius-0.8.1, the username leaves unstripped. With freeradius-1.0.1 the username is always be stripped, why? Maybe i made a Syntax-Error? A little bit Debug: SunOS wsc41 5.8 Generic_117000-01 sun4u sparc SUNW,Ultra-5_10 rad_recv: Access-Request packet from host x.x.x.x:32771, id=128, length=56 User-Name = "test" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "est", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "est" rlm_realm: Proxying request from user est to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Preparing to proxy authentication request to realm "NULL" modcall[authorize]: module "suffix" returns updated for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 178 users: Matched DEFAULT at 385 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 0 to 10.156.10.42:1812 User-Name = "est" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Proxy-State = 0x313238 regards Helmut Troebs -- --- Helmut Troebs Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften Abteilung Kommunikationsnetze Barer Str. 21 80333 Muenchen E-Mail:[EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
