Modifying User-Name and User-Password attributes in a module
Stefan Winter
stefan.winter at restena.lu
Thu Apr 10 08:43:54 CEST 2008
> > update request {
> > User-Name := whatever
> > User-Password := wh4t3v3r
> > }
> >
> > in the pre-proxy section work? No need for a module then... And if I may
> > ask, why would you need to modify name and password for proxying? If it's
> > just about cutting out realms, there is an excellent realm module to do
> > that for you.
>
> Yes, I can do that for static modifications, but in my case I have to
> split the password and extract N bytes from it, which is a One-time
> password for 2 factor authentication. I have to receive AUTH_ACK from
> main radius server using the original password and then process the
> second authentication stage with a 2 factor authentication manager using
> that N bytes long OTP. (Connecting to 2FA server, sending OTP and
> receiving result) This is why I need to do it in a module.
unlang can do WAY more than just static replacements. Use a regular
expression.
if ( %{request:User-Password} =~ (.*)(......) ) update request {
User-Password := %{2}
}
... or something close to that. My syntax may be imperfect, maybe someone can
provide a more bullet-proof/correct one.
This here is supposed to mean: if the password is at least 6 characters long,
change the password so that it only is those last six characters (%{1} would
be: only the first part, without the trailing OTP).
If it is less than six, this expression does nothing. I guess in your scenario
you would want to discard those outright, because they don't contain a valid
OTP. Add another rule for this case then. I'm ssuming your "N" to be = 6
because that's a common length for OTPs. Put more/less dots at the end of the
regexp if you have a different setup.
> Now, any ideas on which of the user-password vp's I have to change ?
I'm trying to prepare you for the tough conclusion that you may not need any
code changes here at all. That's why I changed the recipient to -users,
not -devel.
> I know this is ugly. So, If I define my own attributes, is it necessary
> for main RADIUS server (which we proxy to) to have modified dictionary
> files ? or it will simply ignore those unknown attributes ?
It should. See RFC2865 section 5.26 and RFC5080 section 2.5 for details. But,
to be honest, the pragmatically best approach is: TRY IT. Define a VSA, send
it, and look what happens.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080410/8795fc80/attachment.pgp>
More information about the Freeradius-Users
mailing list