(RADIATOR) full user name -> rewritten to realm only -> want full user name again in LDAP lookup & hooks.

Hugh Irvine hugh at open.com.au
Thu Nov 10 20:35:55 CST 2005 

Hello Matt -

Instead of using multiple RewriteUsername's, why not just use "%R" to  
look up the tunnel?

See section 6.2 in the Radiator 3.13 reference manual ("doc/ref.html").

regards

Hugh


On 11 Nov 2005, at 12:21, Lohier, Matthew wrote:

>
> Hi everyone,
>
> Version: Radiator-3.13 on linux.
>
> I've noticed some problems with rewriting the user name, and then  
> using
> the %u,%w... variables to use the original name before the  
> rewriting had
> happened.
>
> I use User-Name in some LDAP lookup with the full name (user at realm),
> then rewrite the user name to realm only and do a lookup, but then I
> need to do another lookup with the full name again (see below).
>
> <Handler Client-Identifier=XXX,Request-Type=Access-Request>
> 	AuthByPolicy ContinueWhileAccept
>
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilIgnore
> 		AuthBy lookupUT
> 		<AuthBy INTERNAL>
> 			AuthHook file:"%D/Hooks/checkUT.pl"
> 		</Authby>
> 	</AuthBy>
>
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilIgnore
> 		# Rewriting username stripping user and leaving domain.
> 		RewriteUsername s/^.*@//
> 		AuthBy lookupTunnel
> 		<AuthBy INTERNAL>
> 			AuthHook file:"%D/Hooks/checkTunnel.pl"
> 		</Authby>
> 	</Authby>
>
> 	#
> 	# NEED TO USE THE ORIGINAL USER NAME HERE (before rewriting).
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilIgnore
> 		AuthBy lookupSubscriber
> 		<AuthBy INTERNAL>
> 			AuthHook file:"%D/Hooks/checkSubscriber.pl"
> 		</Authby>
> 	</AuthBy>
> </Handler>
>
> <AuthBy LDAP2>
> 	Identifier 		lookupSubscriber
> 	Host 			xxx
> 	Port			yyy
> 	AuthDN 			sss
> 	AuthPassword 		yy
> 	BaseDN 			yyy
> 	NoDefault
> 	UsernameAttr 		cn
> 	PasswordAttr
> 	SearchFilter		(cn=%u)
> 	AddToReply 		Reply-Message=SUCCESS
> 	AuthAttrDef		uid,Utid,reply
> </AuthBy>
>
> Note: I cannot modify the ordering of the clause. I use %u (full name
> before rewriting) in the last clause.
>
> Suppose Clause 1 has happened with user matt.lohier at realm.net.au.  
> Clause
> 2 modified the name to realm.net.au. And now in Clause 3 sorts of  
> work.
> The LDAP query will find the right user (matt.lohier at realm.net.au) but
> Radiator will still try to match the entry with the rewritten user  
> name
> (realm.net.au) (see below) AND more importantly the User-Name  
> attribute
> in the request is still the rewritten one. Annoying!
>
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got result for
> cn=matt.lohier at realm.net.au,ou=Subscriber
> directory,dc=iburstForum,dc=org
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got uid: 001264384002795
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got creationDate: 1131670385
> Fri Nov 11 12:07:56 2005: DEBUG: LDAP got ati: 10
> Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> realm.net.au
> Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Nov 11 12:07:56 2005: DEBUG: Handling with AuthINTERNAL:
> Fri Nov 11 12:07:56 2005: DEBUG: AuthHook checkSubscriber()
> Fri Nov 11 12:07:56 2005: DEBUG: Checking access request for user
> (realm.net.au) and uid (001264384002795).
> Fri Nov 11 12:07:56 2005: DEBUG: Request has User-Name: realm.net.au
>
>
> So I did things a bit differently and used  
> StripFromRequest,AddToRequest
> in the Clause 3.
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilIgnore
> 		StripFromRequest	User-Name
> 		AddToRequest 		User-Name=%u
> 		AuthBy lookupSubscriber
> 		<AuthBy INTERNAL>
> 			AuthHook file:"%D/Hooks/checkSubscriber.pl"
> 		</Authby>
> 	</AuthBy>
>
>
> That's a bit better (see below), but Radiator's still trying to match
> the entry with the old user name. It works in this case, but I'm  
> worried
> we can run into problems. That code is in AuthGeneric.pm.
> Fri Nov 11 12:15:01 2005: DEBUG: Handling with Radius::AuthLDAP2:
> lookupSubscriber
> Fri Nov 11 12:15:01 2005: INFO: Connecting to xxx
> Fri Nov 11 12:15:01 2005: INFO: Attempting to bind to LDAP server yyy
> Fri Nov 11 12:15:01 2005: DEBUG: LDAP got result for
> cn=matt.lohier at realm.au,ou=XXX
> Fri Nov 11 12:15:01 2005: DEBUG: LDAP got uid: 001264384002795
> Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with
> realm.net.au
> Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Fri Nov 11 12:15:01 2005: DEBUG: Handling with AuthINTERNAL:
> Fri Nov 11 12:15:01 2005: DEBUG: AuthHook checkSubscriber()
> Fri Nov 11 12:15:01 2005: DEBUG: Request has User-Name:
> matt.lohier at iburst.net.au
>
>
> Do you think there's something you can fix here? Or maybe there's a
> better way to tackle the problem, and you could show me how?
>
> Thanks a lot / Matt
>
>
>
> ----------------------------------------------------
> This email and any files transmitted with it are confidential and  
> intended solely for the use of the individual or entity to whom  
> they are addressed. If you have received this email in error please  
> notify the system manager. Please note that any views or opinions  
> presented in this email are solely those of the author and do not  
> necessarily represent those of the company. The recipient should  
> check this email and any attachments for the presence of viruses.  
> The company accepts no liability for any damage caused by any virus  
> transmitted by this email.
> ----------------------------------------------------
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list