(RADIATOR) RewriteUsername and AuthBy LDAP2

Chris Hills chills at ne-worcs.ac.uk
Fri Dec 9 08:09:49 CST 2005 

Hi

I have a problem in which it seems that the RewriteUsername directive is 
not being honoured when used in an AuthBy LDAP2 clause.

Configuration:-

<AuthBy LDAP2>
         Identifier CheckLDAP

         Host xxxx
         Host xxxx

         BaseDN xxxx
         AuthDN xxxx
         AuthPassword xxxx

         RewriteUsername s/^([^@]+).*/$1/

         UsernameAttr uid
         PasswordAttr ntPassword

         PostSearchHook sub {my $ntpassword = 
$_[3]->get_check->get_attr('User-Password'); 
$_[3]->get_check->change_attr('User-Password', "{nthash}$ntpassword");}

         AddToReplyIfNotExist 
Tunnel-Type=VLAN,Tunnel-Medium-Type=Ether_802,Tunnel-Private-Group-ID=17

         EAPType PEAP,MSCHAP-V2,TTLS
         EAPTLS_CertificateType PEM
         EAPTLS_CAFile /usr/share/ssl/certs/ad-test.ca.pem
         EAPTLS_CertificateFile /usr/share/ssl/certs/radius2-cert.pem
         EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius2-key.pem
         EAPTLS_PrivateKeyPassword amalthea
         AutoMPPEKeys
         Debug 255
</AuthBy>

<Handler Client-Identifier=redditch-3com-7250-waps,Realm=ne-worcs.ac.uk>
         AuthBy  CheckLDAP
         AuthLog authlogger
</Handler>


Log excerpt:-

Fri Dec  9 14:02:32 2005: DEBUG: Handling request with Handler 
'Client-Identifier=redditch-3com-7250-waps,Realm=ne-worcs.ac.uk'
Fri Dec  9 14:02:32 2005: DEBUG:  Deleting session for 
user at ne-worcs.ac.uk, 172.18.102.11,
Fri Dec  9 14:02:32 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Dec  9 14:02:32 2005: INFO: Connecting to xxx, port 389
Fri Dec  9 14:02:32 2005: INFO: Attempting to bind to LDAP server xxx:389
Fri Dec  9 14:02:32 2005: DEBUG: No entries for user at ne-worcs.ac.uk 
found in LDAP database
Fri Dec  9 14:02:32 2005: DEBUG: Radius::AuthLDAP2 looks for match with 
user at ne-worcs.ac.uk
Fri Dec  9 14:02:32 2005: INFO: Connecting to xxx, port 389
Fri Dec  9 14:02:32 2005: INFO: Attempting to bind to LDAP server xxx:389
Fri Dec  9 14:02:32 2005: DEBUG: No entries for DEFAULT found in LDAP 
database
Fri Dec  9 14:02:32 2005: DEBUG: AuthBy LDAP2 result: REJECT, No such user
Fri Dec  9 14:02:32 2005: INFO: Access rejected for user at ne-worcs.ac.uk: 
No such user
Fri Dec  9 14:02:32 2005: DEBUG: EAP result: 1, EAP TTLS inner 
authentication redespatched to a Handler
Fri Dec  9 14:02:32 2005: DEBUG: AuthBy LDAP2 result: REJECT, EAP TTLS 
inner authentication redespatched to a Handler
Fri Dec  9 14:02:32 2005: INFO: Access rejected for 
anonymous at ne-worcs.ac.uk: EAP TTLS inner authentication redespatched to 
a Handler



The line "DEBUG: No entries for user at ne-worcs.ac.uk" indicates that is 
using "user at ne-worcs.ac.uk" to search the LDAP directory rather than 
simply "user". Is this a bug or is it down to misunderstanding?

I can get authentication to succeed if I remove the domain part from the 
authentication request. However, due to pending parcipation in the LIN 
project, it is vital that we are able to use the full user at domain syntax 
in the request.

Regards

-- 
Chris Hills                       | Tel: +44 (0)1527 572754
IT Services                       | Fax: +44 (0)1527 572901
North East Worcestershire College | Web: http://www.ne-worcs.ac.uk/

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list