Hi Dave,
I've just run the same setup as you (I do apologise if you got a hit from a foreign IP address on moon-serv, that was me), but when I specify the FQDN, mine goes through ok (and FR shows the SAML-AAA-Assertion attribute), and FR then crashes (so it sounds similar to yours).
The difference though is that I've used the amended default file (which I forwarded on to you as part of one of Sam's messages). It should provide the SAML-AAA-Assertion portion for at least one of the two cases.
With Regards
Stefan
-----Original Message-----
From: Dave Lewney [mailto:[log in to unmask]]
Sent: 03 June 2013 16:01
To: Paetow, Stefan (DLSLtd,RAL,DIA)
Cc: <[log in to unmask]>
Subject: Re: Testing Live DVD pilot release 2
On 3 Jun 2013, at 14:01, <[log in to unmask]>
wrote:
> Hi Dave,
>
> Do you have the following in your post-auth section for your default server (or the one that your SSH server tries to authenticate against):
>
> update reply {
> SAML-AAA-Assertion = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2011-03-19T08:30:00Z" ID="foo" Version="2.0">'
> SAML-AAA-Assertion += '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
> SAML-AAA-Assertion += '<saml:AttributeStatement>'
> SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">'
> SAML-AAA-Assertion += "<saml:AttributeValue>[log in to unmask]</saml:AttributeValue>"
> SAML-AAA-Assertion += '</saml:Attribute>'
> SAML-AAA-Assertion += '<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7">'
> SAML-AAA-Assertion += "<saml:AttributeValue>moonshot</saml:AttributeValue>"
> SAML-AAA-Assertion += '</saml:Attribute>'
> SAML-AAA-Assertion += '</saml:AttributeStatement>'
> SAML-AAA-Assertion += '</saml:Assertion>'
> }
>
> I don't see that in the Access-Accept packets from the RADIUS server?
>
> Regards
>
> Stefan
Hi Stefan,
I've got the above config in /etc/freeradius/sites-enabled/default . As far as I know I haven't changed any of the radius config apart from anything specified in the "Getting started..." instructions.
It seems to be losing the lhs of the User-Name pretty early on, or have a I got hte wrong end of the stick?
[Apologies - I'm learning about freeradius the hard way!]
Cheers,
Dave
---
Dave Lewney
IT Services, University of Sussex, Brighton BN1 9QT
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|