Hello, I'm working with Freeradius 2.1.10 I want to authorize an user usng a multivaluated attribute (Relaciones), so I use perl. The values of the attribute Relaciones are store in ldap. Nombre-Completo is another attribute store in ldap. "Relaciones" is a integer value. An user is authorize if have one attribute "Relaciones" with a positive value (no + sign). Relaciones, Nombre-Completo and Codigo-Reject are vendor specific attributes defined in /usr/share/freeradius/dictionary.rinuex My script perl is: # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); #use Data::Dumper; use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ sub authorize { my $refRelaciones; if (exists $RAD_REPLY{'Relaciones'} && defined $RAD_REPLY{'Relaciones'}){ $refRelaciones=$RAD_REPLY{'Relaciones'}; foreach (@{$refRelaciones}) { if ($_ =~ /^[0-9]{2}/) { return RLM_MODULE_OK; } } $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion } return RLM_MODULE_REJECT; } Everything works fine. My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash. Debug: rad_recv: Access-Request packet from host x.x.x.x port 56822, id=100, length=75 User-Name = "ana@unex.es" User-Password = "1111" Calling-Station-Id = "..." server rinuex { ... [ldap1] looking for check items in directory... [ldap1] ntPassword -> NT-Password == 0x3.. [ldap1] looking for reply items in directory... [ldap1] Relaciones -> Relaciones += "03" [ldap1] sn -> Nombre-Completo = "Ana Gallardo" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok ... rlm_perl: Added pair User-Name = ana@unex.es rlm_perl: Added pair User-Password = 1111 rlm_perl: Added pair Intentos-Reject = 0 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Realm = unex.es rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = ... rlm_perl: Added pair Nombre-Completo = Ana Gallardo rlm_perl: Added pair Relaciones = 03 rlm_perl: Added pair Relaciones = Ana Gallardo rlm_perl: Added pair NT-Password = 0x344... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... ++[perl] returns ok ... ++[pap] returns ok ... } # server rinuex Sending Access-Accept of id 100 to x.x.x.x port 56822 Nombre-Completo = "Ana Gallardo" Relaciones += "03" Relaciones += "Ana Gallardo" Any ideas?? Sorry for my english and thank you in advance. ____________________ Ana Gallardo Gómez ____________________
My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash.
I'm not sure if this will fix it, but try: use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ then change "return RLM_MODULE_OK" to: return RLM_MODULE_UPDATED; If this doesn't fix it, you can always delete the undesired member from the hash before you return.
Hello, thank you very much for your response. I’m not sure if this will fix it, but try:
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */
then change “return RLM_MODULE_OK” to:
return RLM_MODULE_UPDATED;
I try that but the problem persist. If this doesn’t fix it, you can always delete the undesired member from the
hash before you return.
Yes, I know :) but it would be better if we can solve that Thanks again -- ____________________ Ana Gallardo Gómez ____________________
Hello, I've tested adding my vendor specific attributes to check list, and the problem persist. Here is the debug info: rad_recv: Access-Request packet from host x.x.x.x port 32880, id=4, length=75 User-Name = "ana@unex.es" User-Password = "1111111" Calling-Station-Id = "..." ... [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} -> ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=ana) ... [ldap1] Bind was successful ... [ldap1] looking for check items in directory... [ldap1] Relaciones -> Relaciones += "06" [ldap1] Relaciones -> Relaciones += "01" [ldap1] ntPassword -> NT-Password == 0x44... [ldap1] looking for reply items in directory... [ldap1] sn -> Nombre-Completo = "Ana Gllardo" ... [ldap1] user ana authorized to use remote access ... rlm_perl: RAD_REQUEST: User-Name = ana@unex.es rlm_perl: RAD_REQUEST: User-Password = 1111111 rlm_perl: RAD_REQUEST: Intentos-Reject = 0 rlm_perl: RAD_REQUEST: SQL-User-Name = ana rlm_perl: RAD_REQUEST: Realm = unex.es rlm_perl: RAD_REQUEST: Stripped-User-Name = ana rlm_perl: RAD_REQUEST: Calling-Station-Id = ... rlm_perl: RAD_CHECK: NT-Password = 0x44... rlm_perl: RAD_CHECK: Simultaneous-Use = 1 rlm_perl: RAD_CHECK: Relaciones = ARRAY(0x1d59618) rlm_perl: RAD_CHECK: Ldap-UserDn = ... rlm_perl: RAD_REREPLY: Nombre-Completo = Ana Gallardo rlm_perl: relacion: 06 rlm_perl: relacion: 01 rlm_perl: relacion: 0x44... ... Finally, my solution was delete the undesired member from the hash. # cat /etc/freeradius/perl/checkRelaciones.pm #!/usr/bin/perl use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ sub authorize { &solucion_bug; return &check_relaciones; } sub solucion_bug { my $r; my @array; if (exists $RAD_CHECK{'Relaciones'} && defined $RAD_CHECK{'Relaciones'}){ $r=$RAD_CHECK{'Relaciones'}; if (ref($r) eq "ARRAY") { foreach (@{$r}) { #&radiusd::radlog(1, "relacion: $_"); if ($_ =~ /^[0-9]{2}/) { push(@array, $_); } } if ($#array > 0){ $RAD_REPLY{'Relaciones'}=\@array; } elsif ($#array == 0){ $RAD_REPLY{'Relaciones'}=$array[0]; } } unless (ref($r)) { #&radiusd::radlog(1, "relacion: $r"); if ($r =~ /^[0-9]{2}/) { $RAD_REPLY{'Relaciones'}=$r; } } delete($RAD_CHECK{'Relaciones'}); } } sub check_relaciones { my $r; if (exists $RAD_REPLY{'Relaciones'} && defined $RAD_REPLY{'Relaciones'}){ return RLM_MODULE_OK; } else{ $RAD_REPLY{'Codigo-Reject'}=11; #Sin-Relacion-UEX return RLM_MODULE_REJECT; } } Thank you very much. ++++++++++++++++++++ ++ Ana Gallardo Gómez ++ ++++++++++++++++++++
participants (2)
-
Ana Gallardo -
Garber, Neal