Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
Markus Krause wrote:
Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
And finally, if someone has a setup with ldap backend, and is volunteering to test the patch under bug #261 (ldap_pairget fixes), perhaps it could be added to 1.1.1, too. I'm not using LDAP on my site, therefore I can't test it myself easily.
i have a testing installation with freeradius using ldap on which i could do some tests if necessary. unfortunatly i am not a freeradius expert, but if you tell me what i should test/try i would be glad to help!
Thanks, that'd be useful. Here you are the detailed instructions:
$ cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login CVS password: anoncvs $ cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout -r branch_1_1 radiusd $ cd radiusd $ wget 'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O ldap_pairget.patch $ patch -p0 < ldap_pairget.patch
Then recompile FreeRADIUS like usual and test with a user from your LDAP directory. If that works, the next step is to enter the test values from the bugzilla into LDAP, and verify if the RADIUS values are correct in the reply packet.
See http://bugs.freeradius.org/show_bug.cgi?id=261
-- Nicolas Baradakis so here is what i did and what happend (on a current debian sarge linux, suse seems to be missing some packages):
atlas:~/radius-test# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source login Logging in to :pserver:anoncvs@cvs.freeradius.org:2401/source CVS password: <i typed "anoncvs"> atlas:~/radius-test# cvs -d :pserver:anoncvs@cvs.freeradius.org:/source checkout -r branch_1_1 radiusd [lots of cvs messages "U radiusd/ ..."] atlas:~/radius-test# cd radiusd/ atlas:~/radius-test/radiusd# wget 'http://bugs.freeradius.org/showattachment.cgi?attach_id=113' -O ldap_pairg et.patch [wget output] atlas:~/radius-test/radiusd# patch -p0 < ldap_pairget.patch patching file src/modules/rlm_ldap/rlm_ldap.c Hunk #1 succeeded at 2309 (offset 32 lines). atlas:~/radius-test/radiusd# dpkg-buildpackage -us -uc -b [lot of output, all seems successful, results are debian packages] atlas:~/radius-test/radiusd# cd .. atlas:~/radius-test# dpkg -i freeradius_1.1.0-0_i386.deb freeradius-ldap_1.1.0-0_i386.deb freeradius-mysql_1.1.0-0_i386.deb [some output, all ok] atlas:~/radius-test# now the entry of a ldap user (as ldif): # testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de cn: testuser2 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser2 dialupAccess: 1 radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1 radiusTunnelType: VLAN radiusFramedIPAddress: 192.168.0.112 radiusFramedIPNetmask: 255.255.255.0 radiusExpiration: 11 Jan 2006 13:00:00 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo bar radiusReplyItem: Reply-Message += This_is_a_Reply radiusReplyItem: Reply-Message += This is another Reply with spaces radiusReplyItem: Reply-Message += This_is_yet_another_Reply_without_spaces now a test with radtest: atlas:~# radtest testuser2 secret localhost 0 testing123 Sending Access-Request of id 7 to 127.0.0.1 port 1812 User-Name = "testuser2" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=7, length=97 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 192.168.0.112 Reply-Message = "This_is_a_Reply" Reply-Message = "This_is_yet_another_Reply_without_spaces" Session-Timeout = 70115 atlas:~# it looks like the reply-message items containing spaces are ignored, the debug output of freeradius -XA says: rad_recv: Access-Request packet from host 127.0.0.1:32784, id=33, length=61 User-Name = "testuser2" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser2 radius_xlat: '(uid=testuser2)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 0 rlm_ldap: bind as / to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser2) rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 11 Jan 2006 13:00:00 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0 & op=11 rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 192.168.0.112 & op=11 rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message += This_is_a_Reply rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply with spaces rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message += This_is_yet_another_Reply_without_spaces rlm_ldap: user testuser2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser2" with password "secret" rlm_ldap: user DN: uid=testuser2,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser2,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser2 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 radius_xlat: 'This_is_a_Reply' radius_xlat: 'This_is_yet_another_Reply_without_spaces' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser2' rlm_sql (sql): sql_set_user escaped user --> 'testuser2' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser2', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser2', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[post-auth]: module "sql" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 33 to 127.0.0.1 port 32784 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 192.168.0.112 Reply-Message += "This_is_a_Reply" Reply-Message += "This_is_yet_another_Reply_without_spaces" Session-Timeout := 70038 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 43c3e1aa Nothing to do. Sleeping until we see a request. there seems to be (still?) a problem with spaces: rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: parsing radiusReplyItem failed: Reply-Message += This is another Reply with spaces to be sure it is not due to "+=" i entered the following to users in ldap (again ldif): # testuser3, People, mogli.de dn: uid=testuser3,ou=People,dc=mogli,dc=de cn: testuser3 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser3 dialupAccess: 1 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo bar # testuser4, People, mogli.de dn: uid=testuser4,ou=People,dc=mogli,dc=de cn: testuser4 objectClass: account objectClass: posixAccount objectClass: top objectClass: radiusprofile uidNumber: 501 gidNumber: 100 homeDirectory: /home/testuser1 loginShell: /bin/bash uid: testuser4 dialupAccess: 1 userPassword: {CRYPT}sefjKaLm7zybE radiusReplyItem: Reply-Message := foo_bar radtest says: atlas:~# radtest testuser3 secret localhost 0 testing123 Sending Access-Request of id 243 to 127.0.0.1 port 1812 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=243, length=20 atlas:~# radtest testuser4 secret localhost 0 testing123 Sending Access-Request of id 248 to 127.0.0.1 port 1812 User-Name = "testuser4" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=248, length=29 Reply-Message = "foo_bar" atlas:~# the debug output is similar to them for testuser2: rad_recv: Access-Request packet from host 127.0.0.1:32791, id=243, length=61 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser3 radius_xlat: '(uid=testuser3)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser3) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: parsing radiusReplyItem failed: Reply-Message := foo bar rlm_ldap: user testuser3 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser3" with password "secret" rlm_ldap: user DN: uid=testuser3,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser3,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser3 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 1 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser3' rlm_sql (sql): sql_set_user escaped user --> 'testuser3' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser3', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser3', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[post-auth]: module "sql" returns ok for request 1 modcall: leaving group post-auth (returns ok) for request 1 Sending Access-Accept of id 243 to 127.0.0.1 port 32791 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32792, id=248, length=61 User-Name = "testuser4" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser4 radius_xlat: '(uid=testuser4)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser4) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: extracted attribute Reply-Message from generic item Reply-Message := foo_bar rlm_ldap: user testuser4 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser4" with password "secret" rlm_ldap: user DN: uid=testuser4,ou=People,dc=mogli,dc=de rlm_ldap: (re)connect to ldapserv1.mogli.de:389, authentication 1 rlm_ldap: bind as uid=testuser4,ou=People,dc=mogli,dc=de/secret to ldapserv1.mogli.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser4 authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 2 modcall: leaving group LDAP (returns ok) for request 2 radius_xlat: 'foo_bar' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20060110 modcall[post-auth]: module "reply_log" returns ok for request 2 rlm_sql (sql): Processing sql_postauth radius_xlat: 'testuser4' rlm_sql (sql): sql_set_user escaped user --> 'testuser4' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser4', 'secret', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser4', 'secret', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 modcall[post-auth]: module "sql" returns ok for request 2 modcall: leaving group post-auth (returns ok) for request 2 Sending Access-Accept of id 248 to 127.0.0.1 port 32792 Reply-Message := "foo_bar" Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 243 with timestamp 43c3e448 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 248 with timestamp 43c3e44b Nothing to do. Sleeping until we see a request. of course there can be antoher error on my side, but seems that ldap reply items containing spaces are not parsed correctly. if i can test some more just let me know, sorry to be of no more help! regards markus -- Markus Krause email: krause@biochem.mpg.de Computing Center Tel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
so here is what i did and what happend (on a current debian sarge linux, suse seems to be missing some packages): [...]
Very well, everything seems fine.
now the entry of a ldap user (as ldif): # testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de [...] radiusReplyItem: Reply-Message := foo bar radiusReplyItem: Reply-Message += This_is_a_Reply radiusReplyItem: Reply-Message += This is another Reply with spaces radiusReplyItem: Reply-Message += This_is_yet_another_Reply_without_spaces
It's my mistake, but there is two methods to define attributes into the LDAP directory: generic attribute and mapped attribute. I'd like you to test with one-to-one-mapped attributes, sorry. I also noticed that Reply-Message isn't in RADIUS-LDAPv3.schema, so we need an other attribute of type string for the tests. Could you please modify your LDAP entry like that? # testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de [...] radiusFilterId: foo bar radiusFilterId: += foo_bar Please run radtest or radclient again, and let me know the result. Thanks for your help. -- Nicolas Baradakis
Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
Markus Krause wrote:
so here is what i did and what happend (on a current debian sarge linux, suse seems to be missing some packages): [...]
Very well, everything seems fine.
now the entry of a ldap user (as ldif): # testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de [...] radiusReplyItem: Reply-Message := foo bar radiusReplyItem: Reply-Message += This_is_a_Reply radiusReplyItem: Reply-Message += This is another Reply with spaces radiusReplyItem: Reply-Message += This_is_yet_another_Reply_without_spaces
It's my mistake, but there is two methods to define attributes into the LDAP directory: generic attribute and mapped attribute. I'd like you to test with one-to-one-mapped attributes, sorry. well, no problem!
I also noticed that Reply-Message isn't in RADIUS-LDAPv3.schema, that's why i used readiusReplyItem, i thought that is what this item is for (if there is no such ldap attribute)
so we need an other attribute of type string for the tests. Could you please modify your LDAP entry like that?
# testuser2, People, mogli.de dn: uid=testuser2,ou=People,dc=mogli,dc=de [...] radiusFilterId: foo bar radiusFilterId: += foo_bar
Please run radtest or radclient again, and let me know the result. radiusFilterId is a single-value entry: ++++ (part) RADIUS-LDAPv3.schema attributetype ( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
so i used two different users: testuser3: radiusFilterId: foo bar testuser4: radiusFilterId: foo_bar radtest says: atlas:~# radtest testuser3 secret localhost 0 testing123 Sending Access-Request of id 53 to 127.0.0.1 port 1812 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=53, length=29 Filter-Id = "foo bar" atlas:~# radtest testuser3 secret localhost 0 testing123 Sending Access-Request of id 53 to 127.0.0.1 port 1812 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=53, length=29 Filter-Id = "foo bar" so it looks good for the attribute "Filter-Id"/"radiusFilterID"!
Thanks for your help. well, you (and alan and others) do so much great work, i am really glad to be of some help!
let me know if i can do some more testing! regards markus -- Markus Krause email: krause@biochem.mpg.de Computing Center Tel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
so i used two different users: testuser3: radiusFilterId: foo bar
radtest says:
atlas:~# radtest testuser3 secret localhost 0 testing123 Sending Access-Request of id 53 to 127.0.0.1 port 1812 User-Name = "testuser3" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=53, length=29 Filter-Id = "foo bar"
so it looks good for the attribute "Filter-Id"/"radiusFilterID"!
Indeed. According to the bug report, old code would have returned Filter-Id = "foo" therefore the patch doesn't truncate the value anymore.
let me know if i can do some more testing!
Please try the other examples posted to the bugzilla: with an operator, with quotes, with back-quotes, etc. http://bugs.freeradius.org/show_bug.cgi?id=261 -- Nicolas Baradakis
Zitat von Nicolas Baradakis <nbk@sitadelle.com>:
Markus Krause wrote:
so it looks good for the attribute "Filter-Id"/"radiusFilterID"!
Indeed. According to the bug report, old code would have returned Filter-Id = "foo" therefore the patch doesn't truncate the value anymore.
let me know if i can do some more testing!
Please try the other examples posted to the bugzilla: with an operator, with quotes, with back-quotes, etc.
http://bugs.freeradius.org/show_bug.cgi?id=261 ok, here you are: first a table with the ldap values (i added some more or less "sensible" variations just out of curiosity) for the user names, together with the reply by freeradius (details see below):
username | radiusFilterId | reply ------------+----------------------+-------------------------- testuser3 | foo bar | Filter-Id = "foo bar" testuser4 | foo_bar | Filter-Id = "foo_bar" testuser5 | "foo bar" | Filter-Id = "foo bar" testuser6 | "foo"bar | Filter-Id = ""foo"bar" testuser7 | `Hello %{User-Name}` | (Segmentation fault) testuser8 | += foo bar | Filter-Id = "foo bar" testuser9 | += 'foo bar' | Filter-Id = "foo bar" testuser10 | += 'foo ba'r | Filter-Id = "'foo ba'r" testuser11 | `Hello foo bar` | (Segmentation fault) testuser12 | "foo"bar" | Filter-Id = "foo" testuser13 | ""foo bar"" | testuser14 | += ""foo bar"" | testuser15 | ""foo"bar"" | testuser16 | += ""foo"bar"" | testuser17 | += "foo"bar | Filter-Id = ""foo"bar" testuser18 | += ""foo"bar" | testuser19 | foo"bar | Filter-Id = "foo"bar" testuser20 | foo""bar | Filter-Id = "foo""bar" testuser21 | foo`bar | Filter-Id = "foo`bar" it seems that to back-quotes "`" cause a segmentation fault, but one does not. in addition with three seperate quotes " the string is truncated (see testuser12), a two times two quotes as pair "" show nothing .. actually i do not know if these values make sense (but i also do not understand what an operator could be of use in a single value ldap attribute (radiusFilterId) either as i said before i am not a radius expert, just using it ;-) so now for radtest answers: User-Name = "testuser4" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153, length=29 Filter-Id = "foo_bar" atlas:~# radtest testuser5 secret localhost 0 testing123 Sending Access-Request of id 157 to 127.0.0.1 port 1812 User-Name = "testuser5" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=157, length=29 Filter-Id = "foo bar" atlas:~# radtest testuser6 secret localhost 0 testing123 Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "testuser6" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=162, length=30 Filter-Id = ""foo"bar" atlas:~# radtest testuser7 secret localhost 0 testing123 here freeradius does a segmentation fault! the problem seem to be the back-quotes "`". the debug output of "freeradius -X" : Finished request 3 Going to the next request --- Walking the entire request list --- Cleaning up request 1 ID 153 with timestamp 43c53288 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 157 with timestamp 43c5328b Waking up in 3 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32795, id=166, length=61 User-Name = "testuser7" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser7 radius_xlat: '(uid=testuser7)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=testuser7) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... Segmentation fault atlas:~# now the next: atlas:~# radtest testuser8 secret localhost 0 testing123 Sending Access-Request of id 253 to 127.0.0.1 port 1812 User-Name = "testuser8" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=253, length=29 Filter-Id = "foo bar" atlas:~# radtest testuser9 secret localhost 0 testing123 Sending Access-Request of id 2 to 127.0.0.1 port 1812 User-Name = "testuser9" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=2, length=29 Filter-Id = "foo bar" atlas:~# radtest testuser10 secret localhost 0 testing123 Sending Access-Request of id 6 to 127.0.0.1 port 1812 User-Name = "testuser10" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=6, length=31 Filter-Id = "'foo ba'r" atlas:~# radtest testuser11 secret localhost 0 testing123 testuser11 again has back-quotes in the radiusFilterId, and again freeradius segfaults! (same output like above with testuser7, so i do not repeat the debug output, it looks the same). now for the rest: atlas:~# radtest testuser12 secret localhost 0 testing123 Sending Access-Request of id 109 to 127.0.0.1 port 1812 User-Name = "testuser12" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=109, length=25 Filter-Id = "foo" atlas:~# radtest testuser13 secret localhost 0 testing123 Sending Access-Request of id 113 to 127.0.0.1 port 1812 User-Name = "testuser13" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=113, length=20 atlas:~# radtest testuser14 secret localhost 0 testing123 Sending Access-Request of id 118 to 127.0.0.1 port 1812 User-Name = "testuser14" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=118, length=20 atlas:~# radtest testuser15 secret localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = "testuser15" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=123, length=20 atlas:~# radtest testuser16 secret localhost 0 testing123 Sending Access-Request of id 127 to 127.0.0.1 port 1812 User-Name = "testuser16" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=127, length=20 atlas:~# radtest testuser17 secret localhost 0 testing123 Sending Access-Request of id 132 to 127.0.0.1 port 1812 User-Name = "testuser17" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=132, length=30 Filter-Id = ""foo"bar" atlas:~# radtest testuser18 secret localhost 0 testing123 Sending Access-Request of id 136 to 127.0.0.1 port 1812 User-Name = "testuser18" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=20 atlas:~# radtest testuser19 secret localhost 0 testing123 Sending Access-Request of id 141 to 127.0.0.1 port 1812 User-Name = "testuser19" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141, length=29 Filter-Id = "foo"bar" atlas:~# radtest testuser20 secret localhost 0 testing123 Sending Access-Request of id 145 to 127.0.0.1 port 1812 User-Name = "testuser20" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=145, length=30 Filter-Id = "foo""bar" atlas:~# radtest testuser21 secret localhost 0 testing123 Sending Access-Request of id 150 to 127.0.0.1 port 1812 User-Name = "testuser21" User-Password = "secret" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=150, length=29 Filter-Id = "foo`bar" atlas:~# what to test next? ;-) regards markus -- Markus Krause email: krause@biochem.mpg.de Computing Center Tel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause wrote:
first a table with the ldap values (i added some more or less "sensible" variations just out of curiosity) for the user names, together with the reply by freeradius (details see below):
Many thanks for all these tests. I've a few comments about the results.
username | radiusFilterId | reply ------------+----------------------+-------------------------- testuser3 | foo bar | Filter-Id = "foo bar" testuser4 | foo_bar | Filter-Id = "foo_bar" testuser5 | "foo bar" | Filter-Id = "foo bar"
"foo bar" is correctly quoted, therefore the quote are removed in the RADIUS reply. -> test OK
testuser6 | "foo"bar | Filter-Id = ""foo"bar" testuser19 | foo"bar | Filter-Id = "foo"bar" testuser20 | foo""bar | Filter-Id = "foo""bar" testuser21 | foo`bar | Filter-Id = "foo`bar"
The strings are incorrectly quoted, therefore they are considered as bare words. It's the same behaviour as when reading attribute from a sql database. -> test OK
testuser8 | += foo bar | Filter-Id = "foo bar" testuser9 | += 'foo bar' | Filter-Id = "foo bar" testuser10 | += 'foo ba'r | Filter-Id = "'foo ba'r" testuser17 | += "foo"bar | Filter-Id = ""foo"bar"
The same as testuser3,5,6 with a leading operator. The operator is correctly removed from the RADIUS reply -> test OK
testuser12 | "foo"bar" | Filter-Id = "foo" testuser13 | ""foo bar"" | testuser14 | += ""foo bar"" | testuser15 | ""foo"bar"" | testuser16 | += ""foo"bar"" | testuser18 | += ""foo"bar" |
This is interesting. These strings bypass the test "start and end with a quote" but are still not correctly quoted. The ldap module stops parsing the string at the second unescaped quote it finds, and the sql module does the same. (the rationale is to escape the quotes in a quoted string) It's arguably buggy, but it's the same behaviour as the old ldap code (truncation) and the same behaviour as the sql module. (I did a test with sql to be sure of this)
testuser7 | `Hello %{User-Name}` | (Segmentation fault) testuser11 | `Hello foo bar` | (Segmentation fault)
It's a stupid bug in my code :(
actually i do not know if these values make sense (but i also do not understand what an operator could be of use in a single value ldap attribute (radiusFilterId) either as i said before i am not a radius expert, just using it ;-)
You can put the attribute Filter-Id several times in the RADIUS reply if you want. For example: dn: uid=testuser22,ou=People,dc=mogli,dc=de radiusFilterId: foo radiusFilterId: += bar
what to test next? ;-)
We still need to fix the back-quote expansion. Please apply the following patch to your sources, recompile, and authenticate the testuser7 again. --- src/modules/rlm_ldap/rlm_ldap.c.orig 2006-01-11 18:34:22.781749360 +0100 +++ src/modules/rlm_ldap/rlm_ldap.c 2006-01-11 18:54:06.102857208 +0100 @@ -2398,7 +2398,7 @@ /* the value will be xlat'ed later */ case T_BACK_QUOTED_STRING: - value = NULL; + value = buf; do_xlat = TRUE; break; @@ -2418,7 +2418,8 @@ * Create the pair. */ newpair = pairmake(element->radius_attr, - value, operator); + do_xlat ? NULL : value, + operator); if (newpair == NULL) { radlog(L_ERR, "rlm_ldap: Failed to create the pair: %s", librad_errstr); continue; -- Nicolas Baradakis
participants (2)
-
Markus Krause -
Nicolas Baradakis