Possible bug in rlm_perl

Josh Hiner josh at remc1.org
Tue Apr 21 03:13:11 CEST 2009


Josh Hiner wrote:
> I think I may have found a bug in rlm_perl? I have written script with 
> the aid of another freeradius list member that checks to see if a user 
> is in a certain samba windows group. If they are not in the group (the 
> wireless group) the module rejects the login. The module works 
> perfectly except for those users who's usernames begin with a letter 
> t. For instance ISD\josh will succeed but ISD\\ted will fail. I have 
> done much testing and cant find my script to be the issue. Look below 
> for debug output for the perl module.
>
> Notice that right after the ++[files] line I print out the radius 
> items for debugging. Notice the User-Name value is correct going into 
> the perl script. Notice on the exit of the perl script on each debug 
> that the username is correct. Then notice later in each debug where 
> these lines are:
> Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS 
> tunnel)
> but when the username begins with a "t" it fails here like this:
> Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 
> via TLS tunnel)
> Notice only one backslash.
>
> I have tried to make it succeed by adding backslashes (for users that 
> start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun 
> but never ISD\\tbraun. Therefore, with users that start with "t" I 
> always get User-name does not match eap identity failure.
>
> Thanks for any help. At the very bottom after the debug output you 
> will find my simple perl script that is well commented.
>
> -Josh
>
> ------- Successful attempt --------
> ++[files] returns noop
> They key is User-Name and the value is ISD\\josh.They key is 
> EAP-Message and the value is 0x020900061a03.They key is EAP-Type and 
> the value is MS-CHAP-V2.They key is State and the value is 
> 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To 
> and the value is 127.0.0.1.
> rlm_perl: Added pair User-Name = ISD\josh
> rlm_perl: Added pair EAP-Message = 0x020900061a03
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> ++[perl] returns updated
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS 
> tunnel)
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "ISD\\josh"
> [peap] Got tunneled reply RADIUS code 2
>    EAP-Message = 0x03090004
>    Message-Authenticator = 0x00000000000000000000000000000000
>    User-Name = "ISD\\josh"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> --------- End snip of successful attempt ---------
>
> --------- Failed attempt from user who's username begins with a "t"  
> (tbraun) ---------
> ++[files] returns noop
> They key is User-Name and the value is ISD\\tbraun.They key is 
> EAP-Message and the value is 0x0207000f014953445c74627261756e.They key 
> is EAP-Type and the value is Identity.They key is 
> FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair 
> User-Name = ISD\tbraun
> rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> ++[perl] returns updated
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 
> via TLS tunnel)
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> [peap] Got tunneled reply RADIUS code 3
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ----------- End of snip of failed attempt ----------------
>
> ----------- Begin paste of perl script ------------------
>
> #!/usr/bin/perl -w
> use strict;
> # use ...
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
> use Data::Dumper;
>
> # This is hash wich hold original request from radius
> #my %RAD_REQUEST;
> # In this hash you add values that will be returned to NAS.
> #my %RAD_REPLY;
> #This is for check items
> #my %RAD_CHECK;
>
> #
> # This the remapping of return values
> #
>       use constant    RLM_MODULE_REJECT=>    0;#  /* immediately 
> reject the request */
>       use constant    RLM_MODULE_FAIL=>      1;#  /* module failed, 
> don't reply */
>       use constant    RLM_MODULE_OK=>        2;#  /* the module is OK, 
> continue */
>       use constant    RLM_MODULE_HANDLED=>   3;#  /* the module 
> handled the request, so stop. */
>       use constant    RLM_MODULE_INVALID=>   4;#  /* the module 
> considers the request invalid. */
>       use constant    RLM_MODULE_USERLOCK=>  5;#  /* reject the 
> request (user is locked out) */
>       use constant    RLM_MODULE_NOTFOUND=>  6;#  /* user not found */
>       use constant    RLM_MODULE_NOOP=>      7;#  /* module succeeded 
> without doing anything */
>       use constant    RLM_MODULE_UPDATED=>   8;#  /* OK (pairs 
> modified) */
>       use constant    RLM_MODULE_NUMCODES=>  9;#  /* How many return 
> codes there are */
>
> # Function to handle authorize
> sub authorize {
>
> my $sambagroup = "10007"; #This is the numeric ID of the samba group
> my $domain = "ISD";
>
> #Testing stuff to print out all radius attributes from hash
>        my $key = "";
>        my $value = "";
>        while (($key, $value) = each (%RAD_REQUEST)){
>            print "They key is $key and the value is $value.";
>        }
> #End of testing
>        my $auth_user = $RAD_REQUEST{'User-Name'};
>
>        #Windows adds host/ to the begining of every machine name 
> during login.
>        #The following block of code cleans off host/ and replaces it with
>        #the login domain and tags a $ at the end for wbinfo group query.
>
>        if ($auth_user =~ /\bhost\b/ ) {
>            $auth_user =~ s/^host\/// ;
>            $auth_user = "$auth_user\$";
>        }
>
>       #Here I add the domain to the beginning of the username if the 
> domain doesnt exist there
>       #already.
>        if ( $auth_user !~ /^\b$domain\b/ ) {
>                    $auth_user = "$domain\\\\$auth_user";
>        }
>
>        #End of username/machine name cleanup.
>
>         #The next line is the wbinfo query to see what samba groups 
> the user is a member of.
>                my @resultArray = qx(wbinfo -r $auth_user);
>
>                my $arraySize = scalar @resultArray;
>        my $groupID = "";
>
>                if ($arraySize != 0) {
>            foreach $groupID (@resultArray) {
>                if ($groupID == $sambagroup) {
>                                     #The below line re-writes the 
> value stored in
>                    #the radius user-name attribute in the rad_request
>                    #hash. For some reason freeradius feeds in
>                    #DOMAIN\\\\username instead of DOMAIN\\username.
>                    #This causes the eap module to fail because the
>                    #returned value from this module doesnt match the EAP
>                    #identity.
>
>                    #this is from testing --> $RAD_REQUEST{'User-Name'} 
> = "ISD\\\\tbraun"
>
>                    #The following line cleans two of the slashes "\\" 
> out of the user-name before we return from the
>                    #perl module. These two slashes get added in. I'm 
> not sure how or why.
>                         $RAD_REQUEST{'User-Name'} =~ 
> s/^$domain\\/$domain/;
>
>                    #Here I exit the subroutine and tell FreeRadius I 
> updated
>                    #some junk.
>
>                    return RLM_MODULE_UPDATED;
> #                    return RLM_MODULE_OK;
>                }
>            }
>
>                }
>                else {
>                        #user not in the required group.
>                       return RLM_MODULE_REJECT; #YOU have been denied....
>                }
> }
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
I forgot to mention the freeradius version I am using is 2.1.3. Sorry 
and thanks.



More information about the Freeradius-Users mailing list