rlm_perl changing User-Name and proxy requests

Ti Leggett leggett at mcs.anl.gov
Fri Jan 11 20:58:36 CET 2013

I have an issue with rlm_perl changing the request User-Name attribute but the proxy request not honoring it. First I'll describe what I'm trying to accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that has some krb5 realm fixes in it.

I have multiple realms that users can authenticate against: our division has replayable password (handled by kerberos) and one time passwords (handled by both YubiKeys and Crypto Card), our lab has replayable passwords (handled by AD) and a separate one time password system (handled by Crypto Card). For services that we want to allow replayable passwords (like IMAP access for instance), we want to allow the user to choose which service to use (division or lab). For services requiring OTP we want the user to choose which OTP token they want to use (some people have multiple because of external requirements). We want users to be able to change these auth preferences on their own and not have this require changing the RADIUS configuration (a.k.a., the users file) to do this. Our account information is kept in LDAP.

This is all well and good except that usernames between the division and the lab aren't guaranteed to match - User A might have lastname as their division name, but lastnamefirst as their lab username. For the kerberos and AD request the RADIUS server can handle the request directly using rlm_krb5, but for all the OTP requests the server must proxy to the correct OTP server to handle the request.

Here's my plan for accomplishing this.

During authorization, rlm_ldap is used to make sure if the user is in LDAP. If not the request is rejected outright (this should help with brute force attempts bogging down all the servers for bogus attempts). Next an rlm_perl module is called to get the user's preferred realm and what username to use in that realm from LDAP. An example would be leggett@ yubi.division.example.com (signifying that I want to use YubiKey from my division). The rlm_perl module updates the request User-Name to be this preference and Auth-Type to be System (see http://pastie.org/5670077). Lastly rlm_realm checks the request to determine if it should be proxied or not. The problem is this: Everything works if the username doesn't change. For instance, if I'm leggett at yubi.division.example.com and leggett at crypto.example.com, things work. The User-Name change being done by rlm_perl is being recognized by rlm_realm and rlm_realm is routing to the proper realm; however, rlm_realm seems to want to clobber User-Name in its own way, so that by the time proxying happens User-Name is set to whatever the initial username was - if I started the process as leggett and wanted my username to eventually be ti.leggett at crypto.example.com, by the time it reaches the proxy phase my User-Name attribute has been reset back to leggett even if I rerun the rlm_perl module after rlm_realm (see http://pastie.org/5670076)

I notice that rlm_suffix doesn't overwrite the Stripped-User-Name rlm_perl adds, but appends another entry. This is fine for my purposes since the rlm_perl one is added first subsequent calls use that value. I'm afraid the same is happening with User-Name in that rlm_perl is appending another entry instead of overwriting the ones there.

So is there any way around this or am I completely insane with this approach?

More information about the Freeradius-Users mailing list