(RADIATOR) Password Extraction Probs

1999-08-25 Thread Mark O'Leary 

I'm still completely at a loss as to how to make the plaintext password
supplied in the radius packet available to the module I am hacking for LDAP
authentication. My perl isnt up to spotting how to get the routines
elsewhere in Radiator to work for me and supply this. Please could someone
talk me through it? (slowly and with no long words, for preference!)

I'm running Radiator-2.14 under FreeBSD 3.2-Release with Perl version
5.005_03 built for i386-freebsd.

The relevant part of my config for testing this function is:

Realm
MaxSessions 2
AuthBy NEWLDAP
Hostx.mcc.ac.uk
Port389
BaseDN  c=UK
UsernameAttruid
CheckAttr   checkitems
ReplyAttr   replyitems
/AuthBy
AcctLogFileName %L/LDAP-detail.%m%y
PasswordLogFileName %L/LDAP-passwd-log.%m%y
ExcludeFromPasswordLog   yyy
RejectHasReason
/Realm


The relevant portion of my optimistically-named NEWLDAP module is:

sub findUser
{
my ($self, $name, $p) = @_;

return (undef, 1) unless $self-reconnect;
return (undef, 1) unless $self-anonbind;

my $user;

my @attrs;
push(@attrs, $self-{CheckAttr}) if defined $self-{CheckAttr};
push(@attrs, $self-{ReplyAttr}) if defined $self-{ReplyAttr};

my $result = $self-{ld}-search
(base = $self-{BaseDN},
scope = 'sub',
filter = "($self-{UsernameAttr}=$name)",
attrs = \@attrs);

if (!$result || $result-code() != LDAP_SUCCESS)
{
my $code = $result ? $result-code() : -1;
my $errname = ldap_error_name($code);
$self-log($main::LOG_ERR, "ldap search failed with error
$errn
$self-{ld} = undef;
return (undef, 1);
}

my $entry = $result-entry(0);
if ($entry)
{
$user = new Radius::User;

my $dn = $entry-dn;
$self-log($main::LOG_DEBUG, "LDAP got result for $dn");

my ($attr);
foreach $attr ($entry-attributes())
{
my @vals = $entry-get($attr);
$self-log($main::LOG_DEBUG, "LDAP got $attr: @vals");

$attr = lc $attr;
if ($attr eq lc $self-{CheckAttr})
{
$user-get_check-parse(join ',', @vals);
}
elsif ($attr eq lc $self-{ReplyAttr})
{
$user-get_reply-parse(join ',', @vals);
}
}
}
else
{
$self-log($main::LOG_DEBUG, "No entries for $name found in LDAP 
database");
$self-unbind;
return 0;
}

$self-unbind;

# Now we connect and do the login as the user.

return (undef, 1) unless $self-reconnect;

# THIS NEEDS TO BE FIXED
# As you can see, for testing, I've hard-coded a password, because
# trying to extract it directly doesnt seem to work... yet!

my $password = "monday";

# The commented out line below doesnt work! 

#   my $password = $self-decode_password($self-{Client}-{Secret});

my $result = $self-{ld}-bind ( dn = $entry-dn, password = $password);

if (!$result || $result-code() != LDAP_SUCCESS)
{
$self-log($main::LOG_DEBUG, "USER FAILED TO AUTHENTICATE");
my $code = $result ? $result-code() : -1;
my $error = ldap_error_name($code);
$self-log($main::LOG_DEBUG, "Error Code: $code\nError Name: $error");
$self-unbind;
return 0;
}
$self-log($main::LOG_DEBUG, "USER AUTHENTICATED!");
return $user;
}
1;


Advice, please?

I want to purchase Radiator (its currently on evaluation), but can't unless
what I'm trying to do is at least possible...

Thanks,

M.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Mark O'Leary,| Voice: +44 (0161) 2756110 | Mark O'Leary,
 Network Support Officer, |   Fax: +44 (0161) 2756040 | Deputy Warden,
 Manchester Computing, UK | Email: [EMAIL PROTECTED] | Moberly Hall, UoM.

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Password Extraction Probs

1999-08-25 Thread Mike McCauley 

Hi Mark,

almost right. The line you commented out:

  my $password = $self-decode_password($self-{Client}-{Secret});

should be changed to be
  my $password = $p-decode_password($p-{Client}-{Secret});

and that will work for PAP passwords.
($p is the handle to the incoming request.)

Hope that helps.

Cheers.


On Aug 25, 11:23am, Mark O'Leary wrote:
 Subject: (RADIATOR) Password Extraction Probs
 I'm still completely at a loss as to how to make the plaintext password
 supplied in the radius packet available to the module I am hacking for LDAP
 authentication. My perl isnt up to spotting how to get the routines
 elsewhere in Radiator to work for me and supply this. Please could someone
 talk me through it? (slowly and with no long words, for preference!)

 I'm running Radiator-2.14 under FreeBSD 3.2-Release with Perl version
 5.005_03 built for i386-freebsd.

 The relevant part of my config for testing this function is:

 Realm
   MaxSessions 2
   AuthBy NEWLDAP
   Hostx.mcc.ac.uk
   Port389
   BaseDN  c=UK
   UsernameAttruid
   CheckAttr   checkitems
   ReplyAttr   replyitems
   /AuthBy
   AcctLogFileName %L/LDAP-detail.%m%y
   PasswordLogFileName %L/LDAP-passwd-log.%m%y
   ExcludeFromPasswordLog   yyy
   RejectHasReason
 /Realm


 The relevant portion of my optimistically-named NEWLDAP module is:

 sub findUser
 {
 my ($self, $name, $p) = @_;

 return (undef, 1) unless $self-reconnect;
 return (undef, 1) unless $self-anonbind;

 my $user;

 my @attrs;
 push(@attrs, $self-{CheckAttr}) if defined $self-{CheckAttr};
 push(@attrs, $self-{ReplyAttr}) if defined $self-{ReplyAttr};

 my $result = $self-{ld}-search
 (base = $self-{BaseDN},
 scope = 'sub',
 filter = "($self-{UsernameAttr}=$name)",
 attrs = \@attrs);

 if (!$result || $result-code() != LDAP_SUCCESS)
 {
 my $code = $result ? $result-code() : -1;
 my $errname = ldap_error_name($code);
 $self-log($main::LOG_ERR, "ldap search failed with error
 $errn
 $self-{ld} = undef;
 return (undef, 1);
 }

 my $entry = $result-entry(0);
 if ($entry)
 {
 $user = new Radius::User;

 my $dn = $entry-dn;
 $self-log($main::LOG_DEBUG, "LDAP got result for $dn");

 my ($attr);
 foreach $attr ($entry-attributes())
 {
 my @vals = $entry-get($attr);
 $self-log($main::LOG_DEBUG, "LDAP got $attr:
@vals");

 $attr = lc $attr;
 if ($attr eq lc $self-{CheckAttr})
 {
 $user-get_check-parse(join ',', @vals);
 }
 elsif ($attr eq lc $self-{ReplyAttr})
 {
 $user-get_reply-parse(join ',', @vals);
 }
 }
 }
 else
 {
 $self-log($main::LOG_DEBUG, "No entries for $name found in
LDAP database");
 $self-unbind;
 return 0;
 }

 $self-unbind;

 # Now we connect and do the login as the user.

 return (undef, 1) unless $self-reconnect;

 # THIS NEEDS TO BE FIXED
 # As you can see, for testing, I've hard-coded a password, because
   # trying to extract it directly doesnt seem to work... yet!

 my $password = "monday";

   # The commented out line below doesnt work!

 #   my $password = $self-decode_password($self-{Client}-{Secret});

 my $result = $self-{ld}-bind ( dn = $entry-dn, password =
$password);

 if (!$result || $result-code() != LDAP_SUCCESS)
 {
 $self-log($main::LOG_DEBUG, "USER FAILED TO AUTHENTICATE");
 my $code = $result ? $result-code() : -1;
 my $error = ldap_error_name($code);
 $self-log($main::LOG_DEBUG, "Error Code: $code\nError Name:
$error");
 $self-unbind;
 return 0;
 }
 $self-log($main::LOG_DEBUG, "USER AUTHENTICATED!");
 return $user;
 }
 1;


 Advice, please?

 I want to purchase Radiator (its currently on evaluation), but can't unless
 what I'm trying to do is at least possible...

 Thanks,

 M.

 --
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  Mark O'Leary,| Voice: +44 (0161) 2756110 | Mark O'Leary,
  Network Support Officer, |   Fax: +44