Possible bug in rlm_perl
Josh Hiner
josh at remc1.org
Tue Apr 21 01:43:38 CEST 2009
I think I may have found a bug in rlm_perl? I have written script with
the aid of another freeradius list member that checks to see if a user
is in a certain samba windows group. If they are not in the group (the
wireless group) the module rejects the login. The module works perfectly
except for those users who's usernames begin with a letter t. For
instance ISD\josh will succeed but ISD\\ted will fail. I have done much
testing and cant find my script to be the issue. Look below for debug
output for the perl module.
Notice that right after the ++[files] line I print out the radius items
for debugging. Notice the User-Name value is correct going into the perl
script. Notice on the exit of the perl script on each debug that the
username is correct. Then notice later in each debug where these lines are:
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
but when the username begins with a "t" it fails here like this:
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via
TLS tunnel)
Notice only one backslash.
I have tried to make it succeed by adding backslashes (for users that
start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but
never ISD\\tbraun. Therefore, with users that start with "t" I always
get User-name does not match eap identity failure.
Thanks for any help. At the very bottom after the debug output you will
find my simple perl script that is well commented.
-Josh
------- Successful attempt --------
++[files] returns noop
They key is User-Name and the value is ISD\\josh.They key is EAP-Message
and the value is 0x020900061a03.They key is EAP-Type and the value is
MS-CHAP-V2.They key is State and the value is
0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and
the value is 127.0.0.1.
rlm_perl: Added pair User-Name = ISD\josh
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ISD\\josh"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ISD\\josh"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
--------- End snip of successful attempt ---------
--------- Failed attempt from user who's username begins with a "t"
(tbraun) ---------
++[files] returns noop
They key is User-Name and the value is ISD\\tbraun.They key is
EAP-Message and the value is 0x0207000f014953445c74627261756e.They key
is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To
and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun
rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via
TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
----------- End of snip of failed attempt ----------------
----------- Begin paste of perl script ------------------
#!/usr/bin/perl -w
use strict;
# use ...
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constant RLM_MODULE_REJECT=> 0;# /* immediately reject
the request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed,
don't reply */
use constant RLM_MODULE_OK=> 2;# /* the module is OK,
continue */
use constant RLM_MODULE_HANDLED=> 3;# /* the module handled
the request, so stop. */
use constant RLM_MODULE_INVALID=> 4;# /* the module
considers the request invalid. */
use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request
(user is locked out) */
use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
use constant RLM_MODULE_NOOP=> 7;# /* module succeeded
without doing anything */
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */
use constant RLM_MODULE_NUMCODES=> 9;# /* How many return
codes there are */
# Function to handle authorize
sub authorize {
my $sambagroup = "10007"; #This is the numeric ID of the samba group
my $domain = "ISD";
#Testing stuff to print out all radius attributes from hash
my $key = "";
my $value = "";
while (($key, $value) = each (%RAD_REQUEST)){
print "They key is $key and the value is $value.";
}
#End of testing
my $auth_user = $RAD_REQUEST{'User-Name'};
#Windows adds host/ to the begining of every machine name during
login.
#The following block of code cleans off host/ and replaces it with
#the login domain and tags a $ at the end for wbinfo group query.
if ($auth_user =~ /\bhost\b/ ) {
$auth_user =~ s/^host\/// ;
$auth_user = "$auth_user\$";
}
#Here I add the domain to the beginning of the username if the
domain doesnt exist there
#already.
if ( $auth_user !~ /^\b$domain\b/ ) {
$auth_user = "$domain\\\\$auth_user";
}
#End of username/machine name cleanup.
#The next line is the wbinfo query to see what samba groups the
user is a member of.
my @resultArray = qx(wbinfo -r $auth_user);
my $arraySize = scalar @resultArray;
my $groupID = "";
if ($arraySize != 0) {
foreach $groupID (@resultArray) {
if ($groupID == $sambagroup) {
#The below line re-writes the value stored in
#the radius user-name attribute in the rad_request
#hash. For some reason freeradius feeds in
#DOMAIN\\\\username instead of DOMAIN\\username.
#This causes the eap module to fail because the
#returned value from this module doesnt match the EAP
#identity.
#this is from testing --> $RAD_REQUEST{'User-Name'}
= "ISD\\\\tbraun"
#The following line cleans two of the slashes "\\"
out of the user-name before we return from the
#perl module. These two slashes get added in. I'm
not sure how or why.
$RAD_REQUEST{'User-Name'} =~ s/^$domain\\/$domain/;
#Here I exit the subroutine and tell FreeRadius I
updated
#some junk.
return RLM_MODULE_UPDATED;
# return RLM_MODULE_OK;
}
}
}
else {
#user not in the required group.
return RLM_MODULE_REJECT; #YOU have been denied....
}
}
More information about the Freeradius-Users
mailing list