(RADIATOR) full user name -> rewritten to realm only -> want full user name again in LDAP lookup & hooks.

Lohier, Matthew Matthew.Lohier at pba.com.au
Thu Nov 10 19:21:09 CST 2005 

Hi everyone,

Version: Radiator-3.13 on linux.

I've noticed some problems with rewriting the user name, and then using
the %u,%w... variables to use the original name before the rewriting had
happened.

I use User-Name in some LDAP lookup with the full name (user at realm),
then rewrite the user name to realm only and do a lookup, but then I
need to do another lookup with the full name again (see below).

<Handler Client-Identifier=XXX,Request-Type=Access-Request>
	AuthByPolicy ContinueWhileAccept

	<AuthBy GROUP>
		AuthByPolicy ContinueUntilIgnore
		AuthBy lookupUT
		<AuthBy INTERNAL>
			AuthHook file:"%D/Hooks/checkUT.pl"
		</Authby>
	</AuthBy>

	<AuthBy GROUP>
		AuthByPolicy ContinueUntilIgnore
		# Rewriting username stripping user and leaving domain.
		RewriteUsername s/^.*@//
		AuthBy lookupTunnel
		<AuthBy INTERNAL>
			AuthHook file:"%D/Hooks/checkTunnel.pl"
		</Authby>
	</Authby>

	#
	# NEED TO USE THE ORIGINAL USER NAME HERE (before rewriting).
	<AuthBy GROUP>
		AuthByPolicy ContinueUntilIgnore
		AuthBy lookupSubscriber
		<AuthBy INTERNAL>
			AuthHook file:"%D/Hooks/checkSubscriber.pl"
		</Authby>
	</AuthBy>
</Handler>

<AuthBy LDAP2>
	Identifier 		lookupSubscriber
	Host 			xxx
	Port			yyy
	AuthDN 			sss
	AuthPassword 		yy
	BaseDN 			yyy
	NoDefault
	UsernameAttr 		cn
	PasswordAttr 
	SearchFilter		(cn=%u)
	AddToReply 		Reply-Message=SUCCESS
	AuthAttrDef		uid,Utid,reply
</AuthBy>

Note: I cannot modify the ordering of the clause. I use %u (full name
before rewriting) in the last clause.

Suppose Clause 1 has happened with user matt.lohier at realm.net.au. Clause
2 modified the name to realm.net.au. And now in Clause 3 sorts of work.
The LDAP query will find the right user (matt.lohier at realm.net.au) but
Radiator will still try to match the entry with the rewritten user name
(realm.net.au) (see below) AND more importantly the User-Name attribute
in the request is still the rewritten one. Annoying!

Fri Nov 11 12:07:56 2005: DEBUG: LDAP got result for
cn=matt.lohier at realm.net.au,ou=Subscriber
directory,dc=iburstForum,dc=org
Fri Nov 11 12:07:56 2005: DEBUG: LDAP got uid: 001264384002795
Fri Nov 11 12:07:56 2005: DEBUG: LDAP got creationDate: 1131670385
Fri Nov 11 12:07:56 2005: DEBUG: LDAP got ati: 10
Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 looks for match with
realm.net.au
Fri Nov 11 12:07:56 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Fri Nov 11 12:07:56 2005: DEBUG: Handling with AuthINTERNAL:
Fri Nov 11 12:07:56 2005: DEBUG: AuthHook checkSubscriber()
Fri Nov 11 12:07:56 2005: DEBUG: Checking access request for user
(realm.net.au) and uid (001264384002795).
Fri Nov 11 12:07:56 2005: DEBUG: Request has User-Name: realm.net.au


So I did things a bit differently and used StripFromRequest,AddToRequest
in the Clause 3.
	<AuthBy GROUP>
		AuthByPolicy ContinueUntilIgnore
		StripFromRequest	User-Name
		AddToRequest 		User-Name=%u
		AuthBy lookupSubscriber
		<AuthBy INTERNAL>
			AuthHook file:"%D/Hooks/checkSubscriber.pl"
		</Authby>
	</AuthBy>


That's a bit better (see below), but Radiator's still trying to match
the entry with the old user name. It works in this case, but I'm worried
we can run into problems. That code is in AuthGeneric.pm.
Fri Nov 11 12:15:01 2005: DEBUG: Handling with Radius::AuthLDAP2:
lookupSubscriber
Fri Nov 11 12:15:01 2005: INFO: Connecting to xxx
Fri Nov 11 12:15:01 2005: INFO: Attempting to bind to LDAP server yyy
Fri Nov 11 12:15:01 2005: DEBUG: LDAP got result for
cn=matt.lohier at realm.au,ou=XXX
Fri Nov 11 12:15:01 2005: DEBUG: LDAP got uid: 001264384002795
Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 looks for match with
realm.net.au
Fri Nov 11 12:15:01 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Fri Nov 11 12:15:01 2005: DEBUG: Handling with AuthINTERNAL:
Fri Nov 11 12:15:01 2005: DEBUG: AuthHook checkSubscriber()
Fri Nov 11 12:15:01 2005: DEBUG: Request has User-Name:
matt.lohier at iburst.net.au


Do you think there's something you can fix here? Or maybe there's a
better way to tackle the problem, and you could show me how?

Thanks a lot / Matt



----------------------------------------------------
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
----------------------------------------------------

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list