(RADIATOR) full user name -> rewritten to realm only -> want full user name again in LDAP lookup & hooks.
Hugh Irvine
hugh at open.com.au
Thu Nov 10 20:35:55 CST 2005
Hello Matt -
Instead of using multiple RewriteUsername's, why not just use "%R" to
look up the tunnel?
See section 6.2 in the Radiator 3.13 reference manual ("doc/ref.html").
regards
Hugh
On 11 Nov 2005, at 12:21, Lohier, Matthew wrote:
>
> Hi everyone,
>
> Version: Radiator-3.13 on linux.
>
> I've noticed some problems with rewriting the user name, and then
> using
> the %u,%w... variables to use the original name before the
> rewriting had
> happened.
>
> I use User-Name in some LDAP lookup with the full name (user at realm),
> then rewrite the user name to realm only and do a lookup, but then I
> need to do another lookup with the full name again (see below).
>
> <Handler Client-Identifier=XXX,Request-Type=Access-Request>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilIgnore
> AuthBy lookupUT
> <AuthBy INTERNAL>
> AuthHook file:"%D/Hooks/checkUT.pl"
> </Authby>
> </AuthBy>
>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilIgnore
> # Rewriting username stripping user and leaving domain.
> RewriteUsername s/^.*@//
> AuthBy lookupTunnel
> <AuthBy INTERNAL>
> AuthHook file:"%D/Hooks/checkTunnel.pl"
> </Authby>
> </Authby>
>
> #
> # NEED TO USE THE ORIGINAL USER NAME HERE (before rewriting).
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilIgnore
> AuthBy lookupSubscriber
> <AuthBy INTERNAL>
> AuthHook file:"%D/Hooks/checkSubscriber.pl"
> </Authby>
> </AuthBy>
> </Handler>
>
> <AuthBy LDAP2>
> Identifier lookupSubscriber
> Host xxx
> Port yyy
> AuthDN sss
> AuthPassword yy
> BaseDN yyy
> NoDefault
> UsernameAttr cn
> PasswordAttr
> SearchFilter (cn=%u)
> AddToReply Reply-Message=SUCCESS
> AuthAttrDef uid,Utid,reply
> </AuthBy>
>
> Note: I cannot modify the ordering of the clause. I use %u (full name
> before rewriting) in the last clause.
>
> Suppose Clause 1 has happened with user matt.lohier at realm.net.au.
> Clause
> 2 modified the name to realm.net.au. And now in Clause 3 sorts of
> work.
> The LDAP query will find the right user (matt.lohier at realm.net.au) but
> Radiator will still try to match the entry with the rewritten user
> name
> (realm.net.au) (see below) AND more importantly the User-Name
> attribute
> in the request is still the rewritten one. Annoying!
>
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got result for
> cn=matt.lohier at realm.net.au,ou=Subscriber
> directory,dc=iburstForum,dc=org
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got uid: 001264384002795
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got creationDate: 1131670385
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got ati: 10
> Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with
> realm.net.au
> Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Nov 11 12:07:56 2005: DEBUG: Handling with AuthINTERNAL:
> Fri Nov 11 12:07:56 2005: DEBUG: AuthHook checkSubscriber()
> Fri Nov 11 12:07:56 2005: DEBUG: Checking access request for user
> (realm.net.au) and uid (001264384002795).
> Fri Nov 11 12:07:56 2005: DEBUG: Request has User-Name: realm.net.au
>
>
> So I did things a bit differently and used
> StripFromRequest,AddToRequest
> in the Clause 3.
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilIgnore
> StripFromRequest User-Name
> AddToRequest User-Name=%u
> AuthBy lookupSubscriber
> <AuthBy INTERNAL>
> AuthHook file:"%D/Hooks/checkSubscriber.pl"
> </Authby>
> </AuthBy>
>
>
> That's a bit better (see below), but Radiator's still trying to match
> the entry with the old user name. It works in this case, but I'm
> worried
> we can run into problems. That code is in AuthGeneric.pm.
> Fri Nov 11 12:15:01 2005: DEBUG: Handling with Radius::AuthLDAP2:
> lookupSubscriber
> Fri Nov 11 12:15:01 2005: INFO: Connecting to xxx
> Fri Nov 11 12:15:01 2005: INFO: Attempting to bind to LDAP server yyy
> Fri Nov 11 12:15:01 2005: DEBUG: LDAP got result for
> cn=matt.lohier at realm.au,ou=XXX
> Fri Nov 11 12:15:01 2005: DEBUG: LDAP got uid: 001264384002795
> Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 looks for match
> with
> realm.net.au
> Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Nov 11 12:15:01 2005: DEBUG: Handling with AuthINTERNAL:
> Fri Nov 11 12:15:01 2005: DEBUG: AuthHook checkSubscriber()
> Fri Nov 11 12:15:01 2005: DEBUG: Request has User-Name:
> matt.lohier at iburst.net.au
>
>
> Do you think there's something you can fix here? Or maybe there's a
> better way to tackle the problem, and you could show me how?
>
> Thanks a lot / Matt
>
>
>
> ----------------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you have received this email in error please
> notify the system manager. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of the company. The recipient should
> check this email and any attachments for the presence of viruses.
> The company accepts no liability for any damage caused by any virus
> transmitted by this email.
> ----------------------------------------------------
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list