Possible bug in rlm_perl
Josh Hiner
josh at remc1.org
Tue Apr 21 03:13:11 CEST 2009
Josh Hiner wrote:
> I think I may have found a bug in rlm_perl? I have written script with
> the aid of another freeradius list member that checks to see if a user
> is in a certain samba windows group. If they are not in the group (the
> wireless group) the module rejects the login. The module works
> perfectly except for those users who's usernames begin with a letter
> t. For instance ISD\josh will succeed but ISD\\ted will fail. I have
> done much testing and cant find my script to be the issue. Look below
> for debug output for the perl module.
>
> Notice that right after the ++[files] line I print out the radius
> items for debugging. Notice the User-Name value is correct going into
> the perl script. Notice on the exit of the perl script on each debug
> that the username is correct. Then notice later in each debug where
> these lines are:
> Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
> tunnel)
> but when the username begins with a "t" it fails here like this:
> Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
> via TLS tunnel)
> Notice only one backslash.
>
> I have tried to make it succeed by adding backslashes (for users that
> start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun
> but never ISD\\tbraun. Therefore, with users that start with "t" I
> always get User-name does not match eap identity failure.
>
> Thanks for any help. At the very bottom after the debug output you
> will find my simple perl script that is well commented.
>
> -Josh
>
> ------- Successful attempt --------
> ++[files] returns noop
> They key is User-Name and the value is ISD\\josh.They key is
> EAP-Message and the value is 0x020900061a03.They key is EAP-Type and
> the value is MS-CHAP-V2.They key is State and the value is
> 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To
> and the value is 127.0.0.1.
> rlm_perl: Added pair User-Name = ISD\josh
> rlm_perl: Added pair EAP-Message = 0x020900061a03
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> ++[perl] returns updated
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
> tunnel)
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "ISD\\josh"
> [peap] Got tunneled reply RADIUS code 2
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "ISD\\josh"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> --------- End snip of successful attempt ---------
>
> --------- Failed attempt from user who's username begins with a "t"
> (tbraun) ---------
> ++[files] returns noop
> They key is User-Name and the value is ISD\\tbraun.They key is
> EAP-Message and the value is 0x0207000f014953445c74627261756e.They key
> is EAP-Type and the value is Identity.They key is
> FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair
> User-Name = ISD\tbraun
> rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> ++[perl] returns updated
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
> via TLS tunnel)
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> [peap] Got tunneled reply RADIUS code 3
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ----------- End of snip of failed attempt ----------------
>
> ----------- Begin paste of perl script ------------------
>
> #!/usr/bin/perl -w
> use strict;
> # use ...
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
> use Data::Dumper;
>
> # This is hash wich hold original request from radius
> #my %RAD_REQUEST;
> # In this hash you add values that will be returned to NAS.
> #my %RAD_REPLY;
> #This is for check items
> #my %RAD_CHECK;
>
> #
> # This the remapping of return values
> #
> use constant RLM_MODULE_REJECT=> 0;# /* immediately
> reject the request */
> use constant RLM_MODULE_FAIL=> 1;# /* module failed,
> don't reply */
> use constant RLM_MODULE_OK=> 2;# /* the module is OK,
> continue */
> use constant RLM_MODULE_HANDLED=> 3;# /* the module
> handled the request, so stop. */
> use constant RLM_MODULE_INVALID=> 4;# /* the module
> considers the request invalid. */
> use constant RLM_MODULE_USERLOCK=> 5;# /* reject the
> request (user is locked out) */
> use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
> use constant RLM_MODULE_NOOP=> 7;# /* module succeeded
> without doing anything */
> use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs
> modified) */
> use constant RLM_MODULE_NUMCODES=> 9;# /* How many return
> codes there are */
>
> # Function to handle authorize
> sub authorize {
>
> my $sambagroup = "10007"; #This is the numeric ID of the samba group
> my $domain = "ISD";
>
> #Testing stuff to print out all radius attributes from hash
> my $key = "";
> my $value = "";
> while (($key, $value) = each (%RAD_REQUEST)){
> print "They key is $key and the value is $value.";
> }
> #End of testing
> my $auth_user = $RAD_REQUEST{'User-Name'};
>
> #Windows adds host/ to the begining of every machine name
> during login.
> #The following block of code cleans off host/ and replaces it with
> #the login domain and tags a $ at the end for wbinfo group query.
>
> if ($auth_user =~ /\bhost\b/ ) {
> $auth_user =~ s/^host\/// ;
> $auth_user = "$auth_user\$";
> }
>
> #Here I add the domain to the beginning of the username if the
> domain doesnt exist there
> #already.
> if ( $auth_user !~ /^\b$domain\b/ ) {
> $auth_user = "$domain\\\\$auth_user";
> }
>
> #End of username/machine name cleanup.
>
> #The next line is the wbinfo query to see what samba groups
> the user is a member of.
> my @resultArray = qx(wbinfo -r $auth_user);
>
> my $arraySize = scalar @resultArray;
> my $groupID = "";
>
> if ($arraySize != 0) {
> foreach $groupID (@resultArray) {
> if ($groupID == $sambagroup) {
> #The below line re-writes the
> value stored in
> #the radius user-name attribute in the rad_request
> #hash. For some reason freeradius feeds in
> #DOMAIN\\\\username instead of DOMAIN\\username.
> #This causes the eap module to fail because the
> #returned value from this module doesnt match the EAP
> #identity.
>
> #this is from testing --> $RAD_REQUEST{'User-Name'}
> = "ISD\\\\tbraun"
>
> #The following line cleans two of the slashes "\\"
> out of the user-name before we return from the
> #perl module. These two slashes get added in. I'm
> not sure how or why.
> $RAD_REQUEST{'User-Name'} =~
> s/^$domain\\/$domain/;
>
> #Here I exit the subroutine and tell FreeRadius I
> updated
> #some junk.
>
> return RLM_MODULE_UPDATED;
> # return RLM_MODULE_OK;
> }
> }
>
> }
> else {
> #user not in the required group.
> return RLM_MODULE_REJECT; #YOU have been denied....
> }
> }
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
I forgot to mention the freeradius version I am using is 2.1.3. Sorry
and thanks.
More information about the Freeradius-Users
mailing list