rlm_perl - Asymmetric attribute encoding

Scott Ireland sireland+freeradius at ualberta.net
Tue Apr 1 00:49:10 CEST 2014


On Mon, Mar 31, 2014 at 4:07 PM, Alan DeKok <aland at deployingradius.com>
wrote:

>   Why are you escaping the comma?  That doesn't make much sense.  Commas
> are allowed in strings in FreeRADIUS, and have no special meaning.
>
>   The solution would be to *not* escape the comma in the first place.


This isn't actually anything I'm doing, it's verbatim from the LDAP server.
 There is actually a comma in the RDN, which the directory escapes when it
returns the full DN (wihch seems reasonable, given that it could otherwise
be seen as a separator).  The choice of values here isn't mine either.


>   Because the State attribute is binary data.  The debug message is
> trying to print that binary data, and not doing a good job of it.


As expected, but it does contrast with the later output for illustration.


>   That could be fixed.  But you could then argue that IP addresses
> should be passed to Perl as a 4 byte binary blob.
>
>   Well, the interface to the Perl code is text.  Always text.  If that's
> difficult for Perl, that's just the way it is right now.


Right.. but still, no matter what kind of data I put in, I get something
different back.  If I put in binary data, I get back a string in hex
notation.  If I put in a string, I get that string back in hex notation.
 It isn't just weirdness with binary data or Perl arbitrarily treating
numbers as strings.

This goes out:

rlm_perl: Added pair State = test
Sending Access-Challenge of id 47 to [ip] port 39441
        State = 0x74657374

This comes back:

rad_recv: Access-Request packet from host [ip] port 34792, id=48, length=153
        State = 0x74657374
rlm_perl: Added pair State = 0x74657374

I still have to pack() the State just to get the original plaintext.


>   It's awkward, but it's consistent.  Everything is a string.
>
>
Except that it isn't..  even without arbitrary binary data, the same
attribute is written one way and read a completely different way, which
requires mangling on one side (and only one side) of the processing.  The
same goes for the escaped backslash.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140331/fff32567/attachment.html>


More information about the Freeradius-Users mailing list