[RADIATOR] Rewrite userna functionality for use in ldap_aps authby

Alex Sharaz A.Sharaz at hull.ac.uk
Mon Apr 30 11:23:28 CDT 2012 

Well,
As Alan surmised
<Handler>
 RewriteUsername s/^([^@]+).*/$1/
 AuthLog paplog
 AuthBy osxAuth
 PostProcessingHook file:"%D/eap_acct_username.pl"
</Handler>

With a test radpwtst of

root at eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx  -user alexsharaz at sharaz.info -password yyyy -auth_port 1812 -noacct

the rewrite works and  things are happy with an access accept being returned.

However, with

root at eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx  -user alexsharaz at sharaz.info -password yyyy -auth_port 1812 -noacct  -mschapv2

although it works in that it does rewrite the username stripping off the realm and giving, in this case alexsharaz instead of alexsharaz.info, authentication fails further down the food chain 
 Which I guess is something o do with the mschapv2 and the realm in the original request

Mon Apr 30 17:08:32 2012: DEBUG: ApplePasswordServer read: -AUTHERR SASL -13

Mon Apr 30 17:08:32 2012: ERR: ApplePasswordServer, bad response from AUTH MS-CHAPv2 command: -AUTHERR SASL -13

Mon Apr 30 17:08:32 2012: DEBUG: Radius::AuthLDAP_APS REJECT: Bad Password: alexsharaz [alexsharaz at sharaz.info]
Mon Apr 30 17:08:32 2012: DEBUG: No entries for DEFAULT found in LDAP database
Mon Apr 30 17:08:32 2012: DEBUG: AuthBy LDAP_APS result: REJECT, Bad Password
Mon Apr 30 17:08:32 2012: INFO: Access rejected for alexsharaz: Bad Password
Mon Apr 30 17:08:32 2012: DEBUG: Packet dump:
*** Sending reply to RadSec ipv6:2604:6600:1092::216:3eff:febf:b6ed:48384 ....
Code:       Access-Reject
Identifier: 8
Authentic:  <131><23>(<183>cl<228>SM<157><201><223><223>'P<178>
Attributes:
        Reply-Message = "Request Denied"
        Proxy-State = OSC-Extended-Id=8


The only difference in the 
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of alan buxey
Sent: Monday, April 30, 2012 4:52 PM
To: Alex Sharaz
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Rewrite userna functionality for use in ldap_aps authby

Hi,

>    However, what I actually want to do is send a usename with a realm of
>    sharaz.info and have the realm stripped out of the user name. When I auth
>    to radiator on  a windoze platform  I can use


RewriteUsername can be called in several places, globally, in the client section or in the handler.

I cant recall if AuthBy_LDAP2 (of which LDAP_APS is a subset of) can do RewriteUsername so instead you can have a call to rewrite the username in the client/server section instead.


...or call a preauthhook in the handler ?


alan
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
**************************************************
To view the terms under which this email is 
distributed, please go to 
http://www2.hull.ac.uk/legal/disclaimer.aspx
**************************************************

More information about the radiator mailing list