[RADIATOR] UserName Rewrite Function

Rianto Wahyudi R.Wahyudi at latrobe.edu.au
Sun Feb 20 17:30:38 CST 2011


Hi Heikki, 

I think I manage to create a simple wrapper for ntlm_auth. Please see below for the code. 
One problem with the script is that I don't know how to exit properly. 

If I don't use exit $auth, the authentication process seems to stall. 
If I use exit $auth, authentication  process works but it creates zombie process. 

root     20430  0.0  1.2  19368 13224 ?        Ss   10:03   0:00 /usr/bin/perl /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -daemon
root     20528  0.0  0.0      0     0 ?        Z    10:06   0:00  \_ [ltu_ntlm_auth] <defunct>

Could you please let me know proper way to exit ? What value radiator expect from running ntlm_auth?

Regards,
Rianto Wahyudi 


#!/usr/bin/perl

use FileHandle;
use IPC::Open2;
use MIME::Base64;
use strict;
my @input = @ARGV;
my $auth;
my $line;
my $username;


my $pid = open2(*NTLM_OUT, *NTLM_IN, "/usr/bin/ntlm_auth @input");
while (<STDIN>) {
    $line = $_;
    if ( $line =~ /^Username/)
    {
        #rewrite username here
        $username = $line;
        $username =~ s/Username\:\: //g;
        $line = usermap (decode_base64($username));
    }
    print NTLM_IN $line;
    if ($line =~ /^\.$/)
    {
        while (<NTLM_OUT>) {
            print $_;
            last if $_ =~  /^\.$/;
            if ($_ =~ /Authenticated: No/) {
                $auth = 1;
            }
            if ($_ =~ /Authenticated: Yes/ ){
                $auth = 0;
            }
        }
        exit $auth;
    }

}

sub usermap
{
    my $uname = $_[0];
    if ( $uname =~ /r\.wahyudi/ )
    {
        $uname="rwahyudi";
    }
    $uname = "Username:: ".encode_base64($uname);
    return "$uname";
}
exit $auth;



-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: Friday, 18 February 2011 7:47 AM
To: Rianto Wahyudi
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] UserName Rewrite Function

On 02/17/2011 02:44 AM, Rianto Wahyudi wrote:

> We have MySQL database containing email alias which map into Active Directory user. 
> Ie : rianto.wahyudi at latrobe.edu.au mapped to rwahyudi at ltu.edu.au
> 
> 
> I would like to utilize this database so user can login with their email address or their AD username. 
> Is it possible to pass UserNameRewrite to a function or another perl script ? 

RewriteUserName expects its argument to be something that Perl binding
operator can use: http://perldoc.perl.org/perlop.html#Binding-Operators

For me it looks like you can not use a function to map the email
addresses to AD usernames.

> All authentication are done via NTLM, and I believe radiator use ntlm_auth program.
> Is it possible to create a wrapper for ntlm_auth script ? 

This is an interesting idea. Ntlm_auth is launced with open2() function
http://perldoc.perl.org/IPC/Open2.html

Parameters are written with print() to $chld_out and read with
readline() from $child_in. A single dot signals the end of input or
output as documented by ntlm_auth man page.

So the communcation is quite simple and if you decide to give this a
try, it would be interesting to hear about the results.

> Here is my handler setup : 
> 
> # STUDENTS DOMAIN TTLS
> <Handler Client-Identifier=Eduroam-Server, TunnelledByTTLS=1,Realm=/students.*/i>
>     RewriteUsername s/^\@.*//
>     <AuthBy NTLM>
>         EAPType MSCHAP-V2
>         Domain STUDENTS
>         UsernameMatchesWithoutRealm
>     </AuthBy>
> </Handler>

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list