RE: problem with NT-Password and LDAP
OK, use the "perl" module to re-write the attribute. There is an "example.pl" distributed with the server that should be a good start.
Alan DeKok.
I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl: use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PROXY %RAD_PROXY_REPLY); use Data::Dumper; use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */ sub hex_to_ascii ($) { # Convert each two-digit hex number back to an ASCII character. (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg; return $str; } sub ascii_to_hex ($) { ## Convert each ASCII character to a two-digit hex number. (my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg; return $str; } # Function to handle authorize sub authorize { my $h_str = $RAD_CHECK{'NT-Password'}; &radiusd::radlog(1, "NT-Password (hex) ..... $h_str"); my $a_str = hex_to_ascii $h_str; $a_str=~s/(\s)+$//; $a_str=~s/(0x)//; &radiusd::radlog(1, "NT-Password (ascii) ..... $a_str"); $h_str = ascii_to_hex $a_str; $RAD_CHECK{'NT-Password'}=$h_str; &radiusd::radlog(1, "NT-Password ..... $RAD_CHECK{'NT-Password'}"); return RLM_MODULE_OK; } In radiusd.conf... perl { module = /usr/local/radius/scripts_perl/quitar_espacios.pl max_clones = 32 start_clones = 5 min_spare_clones = 3 max_spare_clones = 3 cleanup_delay = 5 max_request_perl_clone = 0 } authorize { preprocess suffix files Autz-Type LDAP_UNEX_ES{ ldap_unex_es perl } mschap eap } The debug information is: rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap_unex_es" returns ok for request 6 perl_pool: item 0x835eb10 asigned new request. Handled so far: 3 found interpetator at address 0x835eb10 rlm_perl: NT-Password (hex) ..... 0x303642313145334439343130323145314135433531433638363846324630453620202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020 rlm_perl: NT-Password (ascii) ..... 06B11E3D941021E1A5C51C6868F2F0E6 rlm_perl: NT-Password ..... 3036423131453344393431303231453141354335314336383638463246304536 rlm_perl: Added pair NT-Password = 3036423131453344393431303231453141354335314336383638463246304536 rlm_perl: Added pair User-Password = 76027476 rlm_perl: Added pair Autz-Type = LDAP_UNEX_ES rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x835eb10 modcall[authorize]: module "perl" returns ok for request 6 modcall: leaving group LDAP_UNEX_ES (returns ok) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: Invalid NT-Password <---- rlm_mschap: Told to do MS-CHAPv2 for 02747632 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect: [02747632/<no User-Password attribute>] (from client localhost port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 ... I don't know what is the problem: NT-Password is hexadecimal? incorrect use of perl module?... Thank you specially to Alan _________________________________________________________________ Llama a tus amigos de PC a PC: ¡Es GRATIS! http://get.live.com/messenger/overview
Ana Gallardo Gómez wrote:
OK, use the "perl" module to re-write the attribute. There is an "example.pl" distributed with the server that should be a good start.
Alan DeKok.
I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl:
If your previous solution worked, why use Perl? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Ana Gallardo Gómez