Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

operator "-=" does not work in radiusReplyAttribute of rlm_ldap module #3475

Open
hira2018 opened this issue Jun 1, 2020 · 1 comment
Open
Assignees
Labels
defect v3.x.x

Comments

@hira2018
Copy link

hira2018 commented Jun 1, 2020

Issue type

  • Defect - Unexpected behaviour.

Defect

How to reproduce the issue

Prepare the following LDAP users

dn: uid=test0601,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
objectClass: radiusprofile
uid: test0601
cn: test0601
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/test0601
userPassword: {SSHA}DRkMJV9gJU8qcdmtEXV3y61ud2pQwwTN
radiusReplyAttribute: Reply-Message -= message

Set "Reply-Message := message" in the following users_test file.

DEFAULT
   Reply-Message := message

After applying users_test at the time of user authentication, LDAP search is performed, but operator "-=" of radiusReplyAttribute does not work and "Reply-Message = message" is returned.

Output of [radiusd|freeradius] -X showing issue occurring

FreeRADIUS Version 3.0.21

(0) Received Access-Request Id 43 from 192.168.1.245:55931 to 192.168.1.218:1812 length 48
(0)   User-Name = "test0601"
(0)   User-Password = "password"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0) users_test: users: Matched entry DEFAULT at line 1
(0)     [users_test] = ok
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = ok
(0)     } # policy filter_username = ok
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test0601", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=test0601)
(0) ldap: Performing search in "ou=People,dc=example,dc=com" with filter "(uid=test0601)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=test0601,ou=People,dc=example,dc=com"
(0) ldap: Processing user attributes
(0) ldap: control:Password-With-Header += '{SSHA}DRkMJV9gJU8qcdmtEXV3y61ud2pQwwTN'
(0) ldap: reply::Reply-Message -= 'message'
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = updated
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(0) pap: Removing &control:Password-With-Header
(0) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" SSHA-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 43 from 192.168.1.218:1812 to 192.168.1.245:55931 length 0
(0)   Reply-Message = "message"
(0) Finished request
Thread 5 waiting to be assigned a request
Waking up in 4.6 seconds.
@alandekok
Copy link
Member

alandekok commented Jun 21, 2022

The rlm_ldap_map_verify() function says that it handles -=, but the rlm_ldap_map_getvalue() function only looks at +=, and has no code to handle -=.

Either the documentation should be updated to say that -= isn't handled, or the code should be updated to support -=

@alandekok alandekok added defect v3.x.x labels Jun 21, 2022
@alandekok alandekok assigned alandekok and jpereira and unassigned alandekok Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect v3.x.x
Projects
None yet
Development

No branches or pull requests

3 participants