Hi Heikki,
I think I manage to create a simple wrapper for ntlm_auth. Please see below for
the code.
One problem with the script is that I don't know how to exit properly.
If I don't use exit $auth, the authentication process seems to stall.
If I use exit $auth, authentication process works but it creates zombie
process.
root 20430 0.0 1.2 19368 13224 ? Ss 10:03 0:00 /usr/bin/perl
/usr/bin/radiusd -config_file /etc/radiator/radius.cfg -daemon
root 20528 0.0 0.0 0 0 ? Z 10:06 0:00 \_
[ltu_ntlm_auth] <defunct>
Could you please let me know proper way to exit ? What value radiator expect
from running ntlm_auth?
Regards,
Rianto Wahyudi
#!/usr/bin/perl
use FileHandle;
use IPC::Open2;
use MIME::Base64;
use strict;
my @input = @ARGV;
my $auth;
my $line;
my $username;
my $pid = open2(*NTLM_OUT, *NTLM_IN, "/usr/bin/ntlm_auth @input");
while (<STDIN>) {
$line = $_;
if ( $line =~ /^Username/)
{
#rewrite username here
$username = $line;
$username =~ s/Username\:\: //g;
$line = usermap (decode_base64($username));
}
print NTLM_IN $line;
if ($line =~ /^\.$/)
{
while (<NTLM_OUT>) {
print $_;
last if $_ =~ /^\.$/;
if ($_ =~ /Authenticated: No/) {
$auth = 1;
}
if ($_ =~ /Authenticated: Yes/ ){
$auth = 0;
}
}
exit $auth;
}
}
sub usermap
{
my $uname = $_[0];
if ( $uname =~ /r\.wahyudi/ )
{
$uname="rwahyudi";
}
$uname = "Username:: ".encode_base64($uname);
return "$uname";
}
exit $auth;
-----Original Message-----
From: Heikki Vatiainen [mailto:h...@open.com.au]
Sent: Friday, 18 February 2011 7:47 AM
To: Rianto Wahyudi
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] UserName Rewrite Function
On 02/17/2011 02:44 AM, Rianto Wahyudi wrote:
> We have MySQL database containing email alias which map into Active Directory
> user.
> Ie : rianto.wahy...@latrobe.edu.au mapped to rwahy...@ltu.edu.au
>
>
> I would like to utilize this database so user can login with their email
> address or their AD username.
> Is it possible to pass UserNameRewrite to a function or another perl script ?
RewriteUserName expects its argument to be something that Perl binding
operator can use: http://perldoc.perl.org/perlop.html#Binding-Operators
For me it looks like you can not use a function to map the email
addresses to AD usernames.
> All authentication are done via NTLM, and I believe radiator use ntlm_auth
> program.
> Is it possible to create a wrapper for ntlm_auth script ?
This is an interesting idea. Ntlm_auth is launced with open2() function
http://perldoc.perl.org/IPC/Open2.html
Parameters are written with print() to $chld_out and read with
readline() from $child_in. A single dot signals the end of input or
output as documented by ntlm_auth man page.
So the communcation is quite simple and if you decide to give this a
try, it would be interesting to hear about the results.
> Here is my handler setup :
>
> # STUDENTS DOMAIN TTLS
> <Handler Client-Identifier=Eduroam-Server,
> TunnelledByTTLS=1,Realm=/students.*/i>
> RewriteUsername s/^\@.*//
> <AuthBy NTLM>
> EAPType MSCHAP-V2
> Domain STUDENTS
> UsernameMatchesWithoutRealm
> </AuthBy>
> </Handler>
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
