Trimming character of variables within configuration files
Is there a way I could trim a variable (such as a password variable) within a configuration file. I saw a few examples manipulating variables using unlang here: http://freeradius.org/radiusd/man/unlang.html#lbAB but could not find anything about trimming variables. For example I have the following /etc/freeradius/ntlm_auth # # For testing ntlm_auth authentication with PAP. # # If you have problems with authentication failing, even when the # password is good, it may be a bug in Samba: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=TEST.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" } The password variable input initially has an authentication code appended to the password and hence needs to be trimmed of the password variable so it authenticates with AD correctly. So e.g. the input password is: 'testing123456' - but needs to be trimmed to 'testing'
On Wed, Apr 17, 2013 at 11:45:33AM +0100, P. Manton wrote:
Is there a way I could trim a variable (such as a password variable) within a configuration file. I saw a few examples manipulating variables using unlang here: http://freeradius.org/radiusd/man/unlang.html#lbAB but could not find anything about trimming variables.
regex: if ("%{User-Password}" =~ /^(.*)123456$/) { update request { User-Password := "%{1}" } } Matthew
For example I have the following /etc/freeradius/ntlm_auth
# # For testing ntlm_auth authentication with PAP. # # If you have problems with authentication failing, even when the # password is good, it may be a bug in Samba: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=TEST.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" }
The password variable input initially has an authentication code appended to the password and hence needs to be trimmed of the password variable so it authenticates with AD correctly.
So e.g. the input password is: 'testing123456' - but needs to be trimmed to 'testing'
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 17/04/13 11:45, P. Manton wrote:
Is there a way I could trim a variable (such as a password variable) within a configuration file. I saw a few examples manipulating variables using unlang here: http://freeradius.org/radiusd/man/unlang.html#lbAB but could not find anything about trimming variables.
Use a regexp: authorize { ... if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } } ... } If you mean "trim when expanding" you can't; you must transform the variable into another one, then use that. If you don't want to mangle User-Password, define another attribute in the dictionary, taking note of the correct attribute numbers to use (as defined in the comments)
Hi, Thanks - that was just was just what I was looking for, although I assume something like the following would go into /etc/freeradius/sites-enabled/default authorize { ... ntlm_auth { if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } } } ... Although it complains in the debug (radiusd -XXX) about the following: Wed Apr 17 12:47:23 2013 : Debug: including configuration file /etc/freeradius/sites-enabled/default Wed Apr 17 12:47:23 2013 : Error: /etc/freeradius/sites-enabled/default[216]: Too many closing braces Wed Apr 17 12:47:23 2013 : Error: Errors reading /etc/freeradius/radiusd.conf On Wed, Apr 17, 2013 at 12:00 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 17/04/13 11:45, P. Manton wrote:
Is there a way I could trim a variable (such as a password variable) within a configuration file. I saw a few examples manipulating variables using unlang here: http://freeradius.org/radiusd/**man/unlang.html#lbAB<http://freeradius.org/radiusd/man/unlang.html#lbAB> but could not find anything about trimming variables.
Use a regexp:
authorize { ... if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } } ... }
If you mean "trim when expanding" you can't; you must transform the variable into another one, then use that. If you don't want to mangle User-Password, define another attribute in the dictionary, taking note of the correct attribute numbers to use (as defined in the comments)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi,
Although it complains in the debug (radiusd -XXX) about the following:
Wed Apr 17 12:47:23 2013 : Debug: including configuration file /etc/freeradius/sites-enabled/default Wed Apr 17 12:47:23 2013 : Error: /etc/freeradius/sites-enabled/default[216]: Too many closing braces Wed Apr 17 12:47:23 2013 : Error: Errors reading /etc/freeradius/radiusd.conf
yes, strange that. its almost like there are too many closing braces in your config...oh wait. there are. alan
On 17/04/13 13:00, P. Manton wrote:
Although it complains in the debug (radiusd -XXX) about the following:
Wed Apr 17 12:47:23 2013 : Debug: including configuration file /etc/freeradius/sites-enabled/default Wed Apr 17 12:47:23 2013 : Error: /etc/freeradius/sites-enabled/default[216]: Too many closing braces Wed Apr 17 12:47:23 2013 : Error: Errors reading /etc/freeradius/radiusd.conf
Yes, because you just made up syntax. Look again at the examples you were given, and the examples that come with the server.
OK, So I see there is a preprocess module that says you can manipulate attributes: # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. so I added the following: if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } } Although it did not trim the password and returned Access_Reject (I also saw from the debug that the 6 digit number had not been trimmed) , so I also attempted to add this to the ntlm_auth module with the same result, I am really at a loss here.. On Wed, Apr 17, 2013 at 1:44 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 17/04/13 13:00, P. Manton wrote:
Although it complains in the debug (radiusd -XXX) about the following:
Wed Apr 17 12:47:23 2013 : Debug: including configuration file /etc/freeradius/sites-enabled/**default Wed Apr 17 12:47:23 2013 : Error: /etc/freeradius/sites-enabled/**default[216]: Too many closing braces Wed Apr 17 12:47:23 2013 : Error: Errors reading /etc/freeradius/radiusd.conf
Yes, because you just made up syntax.
Look again at the examples you were given, and the examples that come with the server.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
P. Manton wrote:
OK, So I see there is a preprocess module that says you can manipulate attributes:
# The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard.
Yes. Quoting the configuration files here is useful. It's not like we've seen them before.
so I added the following:
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } }
Which has absolutely nothing to do with the preprocess module. That is the generic attribute conditions / rewriting, as documented in "man unlang".
Although it did not trim the password and returned Access_Reject (I also saw from the debug that the 6 digit number had not been trimmed) , so I also attempted to add this to the ntlm_auth module with the same result, I am really at a loss here..
You're adding random bits of text to random configuration files. That won't work. Adding "unlang" if/update sections to module configurtions WILL NOT WORK. And if you read "man unlang", it's DOCUMENTED as not working. You need to put the if/update sections inside of the raddb/sites-enabled/ files. They WILL NOT WORK anywhere else. Alan DeKok.
On 17/04/13 14:25, P. Manton wrote:
OK, So I see there is a preprocess module that says you can manipulate attributes:
# The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard.
so I added the following:
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}" Some-PIN-Attr = "%{2}" } }
Although it did not trim the password and returned Access_Reject (I also saw from the debug that the 6 digit number had not been trimmed) , so I also attempted to add this to the ntlm_auth module with the same result, I am really at a loss here..
Sigh. I gave a clear and specific example, as did someone else, and you insist on doing random stuff. If you're not going to read what I wrote the first time, I'm not going to repeat it.
Hi, On Wed, Apr 17, 2013 at 02:25:36PM +0100, P. Manton wrote:
OK, So I see there is a preprocess module that says you can manipulate attributes:
preprocess is irrelevant here.
# The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard.
Yes - it's not something that you can change. It solves a fixed set of problems.
so I added the following:
if (User-Password =~ /^(.+)([0-9]{6})$/) { update request { User-Password = "%{1}"
Use := = will not overwrite an existing attribute, so it will not change the attribute. Then look at the debug output to check that it actually did what you asked (e.g. the regex is right, etc). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matthew Newton -
P. Manton -
Phil Mayers