Hi,
I have two feature requests for AuthNTLM. I wrote patches for these
which work for me. But I'm not sure of what quality they are. ;) Both
are attached. All patches are against radiator 4.13 (latest patch
set).
* ntlm_auth_prog-with-variables.patch:
This one is related to my last request. I need to use the variable
%{Handler:Identifier} in NtlmAuthProg (for group membership checks).
I noticed that I can't because %{...} was not substituted in
NtlmAuthProg statements. So I patched radiator. This is not in
production yet (as I was in trouble with the PEAP inner request
User-Name problem). But it works in my testing environment.
* ntlm-rewritefunction.patch:
This one is simply because I need a rewrite function for the inner
identity in PEAP/MSCHAP-V2 auth. It is in production since three
years or more and there was never a problem with it.
I would be very happy if this (or some better code with the desired
functionality) could be included in radiator.
Thanks
Klara
--- a/Radius/AuthNTLM.pm
+++ b/Radius/AuthNTLM.pm
@@ -275,12 +275,14 @@
{
my ($self, $p, %args) = @_;
+ my $ntlm_auth_prog = &Radius::Util::format_special($self->{NtlmAuthProg}, $p, undef);
+
# Maybe (re)start the child
if (!$self->{read_handle})
{
# Not connected, connect now
- $self->log($main::LOG_INFO, "Starting NtlmAuthProg: $self->{NtlmAuthProg}", $p);
- $self->{child_pid} = open2($self->{read_handle}, $self->{write_handle}, $self->{NtlmAuthProg});
+ $self->log($main::LOG_INFO, "Starting NtlmAuthProg: $ntlm_auth_prog", $p);
+ $self->{child_pid} = open2($self->{read_handle}, $self->{write_handle}, $ntlm_auth_prog);
}
# Push the input arguments onto the childs stdin
--- a/Radius/AuthGeneric.pm
+++ b/Radius/AuthGeneric.pm
@@ -92,6 +92,11 @@
'forces Windows Domain Controller type authenticators to strip any realm from the username before authenticating the name with the domain controller. This allows users to log in with \`user@realm\', even though their domain controller user name is just \`user\'. Supported by AuthBy ADSI, AuthBy IPASS, AuthBy NTLM, AuthBy NT, AuthBy PAM, AuthBy TACACSPLUS, and PEAP',
1],
+ 'RewriteFunction' =>
+ ['hook',
+ 'Perl function to rewrite user names. You can define an arbitrarily complex Perl function that might call external programs, search in databases or whatever. The username is changed to whatever is returned by this function.',
+ 2],
+
'RejectEmptyPassword' =>
['flag',
'Forces any Access-Request with an empty password to be rejected. This is provided as a work around for some broken remote Radius servers (VMS Radius server in particular) that incorrectly accept requests with empty passwords.',
--- a/Radius/AuthNTLM.pm
+++ b/Radius/AuthNTLM.pm
@@ -227,7 +227,14 @@
# for user auth must be the cracked name (no domain)
my $kuser = $user;
if ($user =~ /^host\/([^\.]+)/) { $user = "$1\$"; }
- $user =~ s/@[^@]*$// if $self->{UsernameMatchesWithoutRealm};
+ if (length $self->{RewriteFunction})
+ {
+ ($user) = $self->runHook('RewriteFunction', $p, $user);
+ $self->log($main::LOG_DEBUG, "RewriteFunction rewrote user name to $user", $p);
+ }
+ elsif ($self->{UsernameMatchesWithoutRealm}) {
+ $user =~ s/@[^@]*$//;
+ }
$user = &Radius::Util::format_special($self->{UsernameFormat}, $p, undef, $user);
$domain = &Radius::Util::format_special($self->{DomainFormat}, $p, undef, $domain);
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
