Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RE: problem with NT-Password and LDAP

274 views
Skip to first unread message

Ana Gallardo Gómez

unread,
Jan 2, 2007, 6:10:18 AM1/2/07
to


----------------------------------------
> Date: Thu, 28 Dec 2006 08:44:22 -0800
> From: al...@deployingradius.com
> To: freeradi...@lists.freeradius.org
> Subject: Re: problem with NT-Password and LDAP
>
> Ana Gallardo Gómez wrote:
>
> > Well, I can not modify the LDAP server, I only can use it,
> > so, while I ask the LDAP administrator to modify this atribute,
> > I would like to modify in Freeradius server.
>
> OK, use the "perl" module to re-write the attribute. There is an
> "example.pl" distributed with the server that should be a good start.
>
> Alan DeKok.
> --

I'm goint to use the "perl" module, but first, and while I learn to use it, I probed the attr_rewrite module:

attr_rewrite quitar_espacios {
attribute = NT-Password
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = config
searchfor = " "
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 220
## If set to yes then the replace string will be appended to the original string
append = no
}

I don't know if I can use regular expressions in "searcfor" field, and, in this case, what is the regular expressions grammar; or if is better with "max_matches = 220 and searchfor = " ""...

I use this module in authorize section:

authorize {
preprocess
suffix
files
Autz-Type LDAP_LOCAL{
ldap_local
}
Autz-Type LDAP_UNEX_ES{
ldap_unex_es
quitar_espacios
}
mschap
eap
}


and I can authenticate users:

rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_unex_es" returns ok for request 7
radius_xlat: ' '
rlm_attr_rewrite: Changed value for attribute NT-Password from '06B11E3D941021E1A5C51C6868F2F0E6 ' to '06B11E3D941021E1A5C51C6868F2F0E6'
modcall[authorize]: module "quitar_espacios" returns ok for request 7
modcall: leaving group LDAP_UNEX_ES (returns ok) for request 7


Thank you
_________________________________________________________________
¡Ya está aquí Windows Live Spaces! Ahora podrás crear fácilmente tu propio sitio Web.
http://spaces.live.com/signup.aspx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ana Gallardo Gómez

unread,
Jan 4, 2007, 5:26:40 AM1/4/07
to


> OK, use the "perl" module to re-write the attribute. There is an
> "example.pl" distributed with the server that should be a good start.
>
> Alan DeKok.

I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl:

use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PROXY %RAD_PROXY_REPLY);
use Data::Dumper;

use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */
use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */
use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */
use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */
use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */
use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */
use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */

sub hex_to_ascii ($)
{
# Convert each two-digit hex number back to an ASCII character.
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}

sub ascii_to_hex ($)
{
## Convert each ASCII character to a two-digit hex number.
(my $str = shift) =~ s/(.|\n)/sprintf("%02lx", ord $1)/eg;
return $str;
}

# Function to handle authorize
sub authorize {

my $h_str = $RAD_CHECK{'NT-Password'};
&radiusd::radlog(1, "NT-Password (hex) ..... $h_str");
my $a_str = hex_to_ascii $h_str;
$a_str=~s/(\s)+$//;
$a_str=~s/(0x)//;
&radiusd::radlog(1, "NT-Password (ascii) ..... $a_str");
$h_str = ascii_to_hex $a_str;
$RAD_CHECK{'NT-Password'}=$h_str;
&radiusd::radlog(1, "NT-Password ..... $RAD_CHECK{'NT-Password'}");
return RLM_MODULE_OK;
}

In radiusd.conf...

perl {
module = /usr/local/radius/scripts_perl/quitar_espacios.pl
max_clones = 32
start_clones = 5
min_spare_clones = 3
max_spare_clones = 3
cleanup_delay = 5
max_request_perl_clone = 0
}

authorize {
preprocess
suffix
files
Autz-Type LDAP_UNEX_ES{
ldap_unex_es
perl
}
mschap
eap
}


The debug information is:

rlm_ldap: ldap_release_conn: Release Id: 0

modcall[authorize]: module "ldap_unex_es" returns ok for request 6
perl_pool: item 0x835eb10 asigned new request. Handled so far: 3
found interpetator at address 0x835eb10

rlm_perl: NT-Password (hex) ..... 0x303642313145334439343130323145314135433531433638363846324630453620202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
rlm_perl: NT-Password (ascii) ..... 06B11E3D941021E1A5C51C6868F2F0E6
rlm_perl: NT-Password ..... 3036423131453344393431303231453141354335314336383638463246304536
rlm_perl: Added pair NT-Password = 3036423131453344393431303231453141354335314336383638463246304536

rlm_perl: Added pair User-Password = 76027476
rlm_perl: Added pair Autz-Type = LDAP_UNEX_ES
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Auth-Type = EAP
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x835eb10
modcall[authorize]: module "perl" returns ok for request 6
modcall: leaving group LDAP_UNEX_ES (returns ok) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6

rlm_mschap: Invalid NT-Password <----

rlm_mschap: Told to do MS-CHAPv2 for 02747632 with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
Login incorrect: [02747632/<no User-Password attribute>] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
...


I don't know what is the problem: NT-Password is hexadecimal? incorrect use of perl module?...


Thank you specially to Alan


_________________________________________________________________
Llama a tus amigos de PC a PC: ĄEs GRATIS!
http://get.live.com/messenger/overview

Alan DeKok

unread,
Jan 4, 2007, 9:22:56 AM1/4/07
to
Ana Gallardo Gómez wrote:
>
>
>> OK, use the "perl" module to re-write the attribute. There is an
>> "example.pl" distributed with the server that should be a good start.
>>
>> Alan DeKok.
>
> I 'm trying to use the perl module to authenticate users removing white spaces from NT-Password. This is my remove_white_spaces.pl:

If your previous solution worked, why use Perl?

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog

0 new messages