search

privacyidea / FreeRADIUS

Add two factor authentication to FreeRADIUS via privacyIDEA
GNU General Public License v2.0
19 stars 17 forks source link

Return the same attribute multiple type in radius plugin #46

Closed cmammoli closed 3 years ago

cmammoli commented 3 years ago

Opening here in reference to this: https://github.com/privacyidea/privacyidea/issues/2447

I checked and the group attribute is indeed a multivalue attribute in the resolver:

image

This is the attribute config in rlm_perl.ini:

[Attribute Fortinet-Group-Name]
dir = user
userAttribute = group
#regex = ^CN=((?:EXT_)?VPN.*?),
regex = ^CN=(.*?),

This is a debug run of my user:

Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Debugging config: true
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Default URL https://otp.apra.it/validate/check
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Looking for config for auth-type perl
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Called-Station-Id = 192.168.16.69
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Calling-Station-Id = 217.133.12.151
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Fortinet-Vdom-Name = root
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: NAS-Identifier = APRAFW
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: User-Name = c.mammoli
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.16.69
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: User-Password = REDACTED
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Event-Timestamp = Oct 15 2020 09:52:06 CEST
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Acct-Session-Id = 67773d10
Thu Oct 15 09:52:06 2020 : rlm_perl: RAD_REQUEST: Connect-Info = vpn-ssl
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Auth-Type: perl
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: url: https://otp.apra.it/validate/check
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: user sent to privacyidea: c.mammoli
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: realm sent to privacyidea:
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: resolver sent to privacyidea:
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: client sent to privacyidea: 192.168.16.69
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: state sent to privacyidea:
Thu Oct 15 09:52:06 2020 : rlm_perl: urlparam user = c.mammoli
Thu Oct 15 09:52:06 2020 : rlm_perl: urlparam pass = REDACTED
Thu Oct 15 09:52:06 2020 : rlm_perl: urlparam client = 192.168.16.69
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Request timeout: 21
Thu Oct 15 09:52:06 2020 : Info: rlm_perl: Not verifying SSL certificate!
Thu Oct 15 09:52:11 2020 : Error: (2) Ignoring duplicate packet from client fgt-jesi-01 port 20051 - ID: 130 due to unfinished request in component authenticate module perl
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: elapsed time for privacyidea call: 7.839644
Thu Oct 15 09:52:13 2020 : rlm_perl: Content {"detail": {"message": "matching 1 tokens", "otplen": 6, "serial": "PIPU00005CC8", "threadid": 140712699541248, "type": "push", "user": {"surname": "Mammoli", "phone": "+390731719822", "givenname": "Cristian", "group": ["CN=Office365,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it", "CN=VPN-Tecnici,OU=Gruppi VPN,OU=Utenti,DC=apra,DC=it", "CN=RDM-Tecnici-ReadWrite,OU=Gruppi RDM,OU=Utenti,DC=apra,DC=it", "CN=VAULT_SecurityAdmins,OU=Gruppi Vault,OU=Utenti,DC=apra,DC=it", "CN=Mail Apra Io Resto a Casa,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Cynet_Admins,OU=Gruppi Cynet,OU=Utenti,DC=apra,DC=it", "CN=TeamViewerEnrollment,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it", "CN=Mail aws,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail MIQ Admin,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=MIQ_Tecnici,OU=Gruppi MIQ,OU=Utenti,DC=apra,DC=it", "CN=Mail NAC Alert,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Stampante CANON-C3525-BN,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it", "CN=Mail officetecnico,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail Postmaster,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail teck,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail storage,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail rad,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail mailrep,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail Cellulare,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail Apra Informatica,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail Apra Spa,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=Mail Linux Creso,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it", "CN=CLOUD_Tecnici,OU=Gruppi CLOUD,OU=Utenti,DC=apra,DC=it", "CN=OTRS-Tecnici,OU=Gruppi OTRS,OU=Utenti,DC=apra,DC=it", "CN=Stampante HP-PIANO-TERRA-BN,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it", "CN=Stampante SAMSUNG-COMMERCIALI-COLORI,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it", "CN=Stampante SMA1,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it", "CN=Visualizzazione Calendario Tecnici,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it", "CN=Schema Admins,CN=Users,DC=apra,DC=it", "CN=Tecnici,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it", "CN=Domain Admins,CN=Users,DC=apra,DC=it"], "username": "c.mammoli", "email": "c.mammoli@apra.it", "mobile": "+393355834844", "password": ""}, "user-resolver": "apra_ldap", "user-realm": "apra.it"}, "id": 1, "jsonrpc": "2.0", "result": {"status": true, "value": true}, "time": 1602748333.8583019, "version": "privacyIDEA 3.4", "versionnumber": "3.4", "signature": "rsa_sha256_pss:d4f5dbf4b6633f70098018ee70842ac237248110226de2768973aafbbd1f412b09251d1265950ac6c28e27871473139f98336cca5e7264f2f736f65bba4e0102b0f1c4e3b6f9e88305ce2524c8e9a5c2d6fd5298e759778b06310483edef2ce810b830368d94e051b2b4b83643043e2560148b9837325116064e98863f83703b3ddff4abfae34ea7248e15855eabc73df2bb84d1a90632d600530aeaa3d20a65664caf7858ca95469675bab65d457a10d33cca060e38e1cafaaa6e92cf185081e92d39123371d1b6065b1be7c0d41fdc2442f8c06742c684629d5288525993d32fee90697ccd38d9634b28f3ff106f259bdcd9f65a2fa32cebbc8976c816861f"}
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: privacyIDEA access granted
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++ Parsing group: Attribute
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++ Found member 'Attribute Fortinet-Group-Name'
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++ Attribute: IF 'user'->'group' == '^CN=(.*?),' THEN 'Fortinet-Group-Name'
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++ searching in directory user
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ User attribute is a list: ARRAY(0x7f4c9435cc10)
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Office365,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Office365
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=VPN-Tecnici,OU=Gruppi VPN,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = VPN-Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=RDM-Tecnici-ReadWrite,OU=Gruppi RDM,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = RDM-Tecnici-ReadWrite
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=VAULT_SecurityAdmins,OU=Gruppi Vault,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = VAULT_SecurityAdmins
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Apra Io Resto a Casa,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Apra Io Resto a Casa
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Cynet_Admins,OU=Gruppi Cynet,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Cynet_Admins
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=TeamViewerEnrollment,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = TeamViewerEnrollment
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail aws,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail aws
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail MIQ Admin,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail MIQ Admin
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=MIQ_Tecnici,OU=Gruppi MIQ,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = MIQ_Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail NAC Alert,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail NAC Alert
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Stampante CANON-C3525-BN,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Stampante CANON-C3525-BN
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail officetecnico,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail officetecnico
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Postmaster,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Postmaster
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail teck,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail teck
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail storage,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail storage
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail rad,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail rad
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail mailrep,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail mailrep
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Cellulare,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Cellulare
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Apra Informatica,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Apra Informatica
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Apra Spa,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Apra Spa
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Mail Linux Creso,OU=Gruppi Mail,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Mail Linux Creso
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=CLOUD_Tecnici,OU=Gruppi CLOUD,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = CLOUD_Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=OTRS-Tecnici,OU=Gruppi OTRS,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = OTRS-Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Stampante HP-PIANO-TERRA-BN,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Stampante HP-PIANO-TERRA-BN
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Stampante SAMSUNG-COMMERCIALI-COLORI,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Stampante SAMSUNG-COMMERCIALI-COLORI
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Stampante SMA1,OU=Gruppi Stampanti,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Stampante SMA1
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Visualizzazione Calendario Tecnici,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Visualizzazione Calendario Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Schema Admins,CN=Users,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Schema Admins
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Tecnici,OU=Gruppi apra,OU=Utenti,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Tecnici
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++++ trying to match CN=Domain Admins,CN=Users,DC=apra,DC=it
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = Domain Admins
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: ++++ Parsing group: Mapping
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++++ Found member 'Mapping user'
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: +++ Map: serial -> privacyIDEA-Serial
Thu Oct 15 09:52:13 2020 : Info: rlm_perl: return RLM_MODULE_OK

Looking at the perl code:

                    if (ref($attributevalue) eq "ARRAY") {
                        &radiusd::radlog(Info, "+++++++ User attribute is a list: $attributevalue");
                        @values = @$attributevalue;
                    }
                    foreach my $value (@values) {
                        &radiusd::radlog(Info, "+++++++ trying to match $value");
                        if ($value =~ /$regex/) {
                            my $result = $1;
                            $radReply{$radiusAttribute} = "$prefix$result$suffix";
                            &radiusd::radlog(Info, "++++++++ Result: Add RADIUS attribute $radiusAttribute = $result");
                        } else {
                            &radiusd::radlog(Info, "++++++++ Result: No match, no RADIUS attribute $radiusAttribute added.");
                        }
                    }

Correct me if I'm wrong: If the user attribute is an array every member of the array is compared to the configured regex If a match if found $radReply{Fortinet-Group-Name} is set to the group name So for every member $radReply{Fortinet-Group-Name} is overwritten, right?

cornelinux commented 3 years ago

You are right. In the current master this is already done correctly.:

foreach my $value (@values) {
                        &radiusd::radlog(Info, "+++++++ trying to match $value");
                        if ($value =~ /$regex/) {
                            my $result = $1;
                            $radReply{$radiusAttribute} = add_reply_attibute($radReply{$radiusAttribute}, "$prefix$result$suffix");
                            &radiusd::radlog(Info, "++++++++ Result: Add RADIUS attribute $radiusAttribute = $result");
                        } else {
                            &radiusd::radlog(Info, "++++++++ Result: No match, no RADIUS attribute $radiusAttribute added.");
                        }
                    }