problem with NT-Password and LDAP

Ana Gallardo Gómez ana_gallardo_77 at hotmail.com
Thu Jan 4 11:16:54 CET 2007




>   OK, use the "perl" module to re-write the attribute.  There is an
> "example.pl" distributed with the server that should be a good start.
> 
>   Alan DeKok.

I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl:

use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PROXY %RAD_PROXY_REPLY);
use Data::Dumper;

	use constant    RLM_MODULE_REJECT=>    0;#  /* immediately reject the request */
	use constant	RLM_MODULE_FAIL=>      1;#  /* module failed, don't reply */
	use constant	RLM_MODULE_OK=>        2;#  /* the module is OK, continue */
	use constant	RLM_MODULE_HANDLED=>   3;#  /* the module handled the request, so stop. */
	use constant	RLM_MODULE_INVALID=>   4;#  /* the module considers the request invalid. */
	use constant	RLM_MODULE_USERLOCK=>  5;#  /* reject the request (user is locked out) */
	use constant	RLM_MODULE_NOTFOUND=>  6;#  /* user not found */
	use constant	RLM_MODULE_NOOP=>      7;#  /* module succeeded without doing anything */
	use constant	RLM_MODULE_UPDATED=>   8;#  /* OK (pairs modified) */
	use constant	RLM_MODULE_NUMCODES=>  9;#  /* How many return codes there are */

sub hex_to_ascii ($)
{
	# Convert each two-digit hex number back to an ASCII character.
	(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
	return $str;
}

sub ascii_to_hex ($)
{
    	## Convert each ASCII character to a two-digit hex number.
    	(my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
    	return $str;
}

# Function to handle authorize
sub authorize {

    	my $h_str = $RAD_CHECK{'NT-Password'};
	&radiusd::radlog(1, "NT-Password (hex) ..... $h_str");
    	my $a_str = hex_to_ascii $h_str;
	$a_str=~s/(\s)+$//;
	$a_str=~s/(0x)//;
	&radiusd::radlog(1, "NT-Password (ascii) ..... $a_str");
	$h_str = ascii_to_hex $a_str;
	$RAD_CHECK{'NT-Password'}=$h_str;
	&radiusd::radlog(1, "NT-Password ..... $RAD_CHECK{'NT-Password'}");
	return RLM_MODULE_OK;
}

In radiusd.conf...

	perl {
		module = /usr/local/radius/scripts_perl/quitar_espacios.pl
		max_clones = 32
		start_clones = 5
		min_spare_clones = 3
		max_spare_clones = 3
		cleanup_delay = 5
		max_request_perl_clone = 0
	}

authorize {
	preprocess
	suffix
	files
	Autz-Type LDAP_UNEX_ES{
           ldap_unex_es
	   perl
        }
	mschap  		
	eap
}


The debug information is:

rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap_unex_es" returns ok for request 6
perl_pool: item 0x835eb10 asigned new request. Handled so far: 3
found interpetator at address 0x835eb10

rlm_perl: NT-Password (hex) ..... 0x303642313145334439343130323145314135433531433638363846324630453620202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
rlm_perl: NT-Password (ascii) ..... 06B11E3D941021E1A5C51C6868F2F0E6
rlm_perl: NT-Password ..... 3036423131453344393431303231453141354335314336383638463246304536
rlm_perl: Added pair NT-Password = 3036423131453344393431303231453141354335314336383638463246304536

rlm_perl: Added pair User-Password = 76027476
rlm_perl: Added pair Autz-Type = LDAP_UNEX_ES
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Auth-Type = EAP
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x835eb10
  modcall[authorize]: module "perl" returns ok for request 6
modcall: leaving group LDAP_UNEX_ES (returns ok) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6

rlm_mschap: Invalid NT-Password           <----

  rlm_mschap: Told to do MS-CHAPv2 for 02747632 with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
Login incorrect: [02747632/<no User-Password attribute>] (from client localhost port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
...


I don't know what is the problem: NT-Password is hexadecimal? incorrect use of perl module?...


Thank you specially to Alan


_________________________________________________________________
Llama a tus amigos de PC a PC: ¡Es GRATIS!
http://get.live.com/messenger/overview



More information about the Freeradius-Users mailing list