[RADIATOR] UserName Rewrite Function

[Heikki Vatiainen]

On 02/21/2011 01:30 AM, Rianto Wahyudi wrote:

> I think I manage to create a simple wrapper for ntlm_auth. Please see below for the code. 
> One problem with the script is that I don't know how to exit properly. 
> 
> If I don't use exit $auth, the authentication process seems to stall. 
> If I use exit $auth, authentication  process works but it creates zombie process. 
> 
> root     20430  0.0  1.2  19368 13224 ?        Ss   10:03   0:00 /usr/bin/perl /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -daemon
> root     20528  0.0  0.0      0     0 ?        Z    10:06   0:00  \_ [ltu_ntlm_auth] <defunct>
> 
> Could you please let me know proper way to exit ? What value radiator expect from running ntlm_auth?

Try not to exit. Keep your ntlm_auth wrapper running. This is how
ntlm_auth behaves when it is called directly by Radiator. If it exists,
then your wrapper should restart it. This is good for performance

In case ntlm_auth exits, you should make arrangements to catch SIGCHLD
to prevent zome processes.

See http://perldoc.perl.org/perlipc.html and search for CHLD. I have not
done this type of programming for a long while, but I suspect the zombie
results from your script not being able to exit since it has not
wait()ed or otherwise handled the termination of ntlm_auth it calls.

If the authentication still seems to stall, you should check how to
flush the socket so that the output from your script does not get
buffered but is delivered completely to Radiator. I'm not completely
sure, but stalling sounds like a buffer related problem.

> #!/usr/bin/perl
> 
> use FileHandle;
> use IPC::Open2;
> use MIME::Base64;
> use strict;
> my @input = @ARGV;
> my $auth;
> my $line;
> my $username;
> 
> 
> my $pid = open2(*NTLM_OUT, *NTLM_IN, "/usr/bin/ntlm_auth @input");
> while (<STDIN>) {
>     $line = $_;
>     if ( $line =~ /^Username/)
>     {
>         #rewrite username here
>         $username = $line;
>         $username =~ s/Username\:\: //g;
>         $line = usermap (decode_base64($username));
>     }
>     print NTLM_IN $line;
>     if ($line =~ /^\.$/)
>     {
>         while (<NTLM_OUT>) {
>             print $_;
>             last if $_ =~  /^\.$/;
>             if ($_ =~ /Authenticated: No/) {
>                 $auth = 1;
>             }
>             if ($_ =~ /Authenticated: Yes/ ){
>                 $auth = 0;
>             }
>         }
>         exit $auth;
>     }
> 
> }
> 
> sub usermap
> {
>     my $uname = $_[0];
>     if ( $uname =~ /r\.wahyudi/ )
>     {
>         $uname="rwahyudi";
>     }
>     $uname = "Username:: ".encode_base64($uname);
>     return "$uname";
> }
> exit $auth;
> 



-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.