freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

operator "-=" does not work in radiusReplyAttribute of rlm_ldap module

Open hira2018 opened this issue 5 years ago • 1 comments

Issue type

  • Defect - Unexpected behaviour.

Defect

How to reproduce the issue

Prepare the following LDAP users

dn: uid=test0601,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: radiusprofile
uid: test0601
cn: test0601
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/test0601
userPassword: {SSHA}DRkMJV9gJU8qcdmtEXV3y61ud2pQwwTN
radiusReplyAttribute: Reply-Message -= message

Set "Reply-Message := message" in the following users_test file.

DEFAULT
   Reply-Message := message

After applying users_test at the time of user authentication, LDAP search is performed, but operator "-=" of radiusReplyAttribute does not work and "Reply-Message = message" is returned.

Output of [radiusd|freeradius] -X showing issue occurring

FreeRADIUS Version 3.0.21

(0) Received Access-Request Id 43 from 192.168.1.245:55931 to 192.168.1.218:1812 length 48
(0)   User-Name = "test0601"
(0)   User-Password = "password"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0) users_test: users: Matched entry DEFAULT at line 1
(0)     [users_test] = ok
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = ok
(0)     } # policy filter_username = ok
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test0601", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=test0601)
(0) ldap: Performing search in "ou=People,dc=example,dc=com" with filter "(uid=test0601)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=test0601,ou=People,dc=example,dc=com"
(0) ldap: Processing user attributes
(0) ldap: control:Password-With-Header += '{SSHA}DRkMJV9gJU8qcdmtEXV3y61ud2pQwwTN'
(0) ldap: reply::Reply-Message -= 'message'
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = updated
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(0) pap: Removing &control:Password-With-Header
(0) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" SSHA-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 43 from 192.168.1.218:1812 to 192.168.1.245:55931 length 0
(0)   Reply-Message = "message"
(0) Finished request
Thread 5 waiting to be assigned a request
Waking up in 4.6 seconds.

hira2018 avatar Jun 01 '20 10:06 hira2018

The rlm_ldap_map_verify() function says that it handles -=, but the rlm_ldap_map_getvalue() function only looks at +=, and has no code to handle -=.

Either the documentation should be updated to say that -= isn't handled, or the code should be updated to support -=

alandekok avatar Jun 21 '22 13:06 alandekok

I've updated the documentation to be correct. It would have been some effort to add support for -=

alandekok avatar Apr 20 '23 14:04 alandekok