I would like ntlm_auth failure reasons more visible so our
help desk can assist users who are having trouble authenticating.
Currently, rlm_ldap creates a request attribute called “Module-Failure-Message”
on some types of errors (e.g., user not found). I created a small patch
for rlm_mschap that creates the same request attribute with the output from
ntlm_auth if authentication fails. (Before someone asks how this lets our
help desk see the information, I have written a post-auth perl script that
captures this and other attributes and writes them to a custom log file. Our
help desk then uses a viewer utility I wrote to search/display the logs.)
I have a similar desire to capture SSL negotiation failure
reasons in our logs. I have created another patch to capture these
failures as well although it is currently against FR 1.1.2. If there’s
interest, I can integrate this change to CVS head and submit it as well.
Below is the rlm_mschap patch for your review and
comment. This was made against the CVS head I checked out on Oct. 12.
Thanks for your time and consideration.
---
src/modules/rlm_mschap/rlm_mschap.c.orig Tue Oct 3
17:46:50 2006
+++ src/modules/rlm_mschap/rlm_mschap.c Thu Oct 12 15:32:04
2006
@@ -786,6 +786,9 @@
} else
{
/* run ntlm_auth */
int result;
char buffer[256];
+
VALUE_PAIR *module_fmsg_vp;
+
char module_fmsg[MAX_STRING_LEN];
+
int
module_fmsg_lastchr = 0;
memset(nthashhash, 0, 16);
@@ -798,6 +801,13 @@
NULL, NULL, 1);
if (result != 0) {
DEBUG2(" rlm_mschap: External script failed.");
+
snprintf(module_fmsg, sizeof(module_fmsg), "rlm_mschap: %s", buffer);
+
module_fmsg_lastchr = strlen(module_fmsg)-1;
+
if (module_fmsg[module_fmsg_lastchr] = '\n') {
+
module_fmsg[module_fmsg_lastchr] = '\0';
+
}
+
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg,
T_OP_EQ);
+
pairadd(&request->packet->vps, module_fmsg_vp);
return -1;
}