add quote to User-Name

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

add quote to User-Name

Dudás Péter
Hi,

for running external script I have to quote the content of the User-Name
(via the Exec module).
So in case User-Name is John Doe (received from NPS) I want to have  it
like "John Doe".

Tried:
   User-Name := "%{User-Name}"   # this is not working.

Is there a way to do this?

Thank you!

Peter Dudas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: add quote to User-Name

Alan DeKok-2
On May 6, 2017, at 12:48 PM, Dudás Péter <[hidden email]> wrote:

>
> for running external script I have to quote the content of the User-Name
> (via the Exec module).
> So in case User-Name is John Doe (received from NPS) I want to have  it
> like "John Doe".
>
> Tried:
>   User-Name := "%{User-Name}"   # this is not working.
>
> Is there a way to do this?

  Don't edit the User-Name in FreeRADIUS.  Instead, change the User-Name passed to the script.

  Execute the program as:

        /path/to/progran \"%{User-Name}\"

  But saying what you've tried (NOT just one line), and providing the debug log would be useful, too.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: add quote to User-Name

Dudás Péter
Hi Alan!

It is a way too complicated for the first sight.

It is Windows based FreeRadius (2.2.10). And user names has a space between
the First and Last Name, so needed to be double quoted otherwise it is
handled as 2 parameters.
(according to my knowledge it is not possible to insert a double quote
between the \" \" sequence which is not deleted by the command interpreter).

exec multiotp {
        wait = yes
        input_pairs = request
        output_pairs = reply
        program = "../../multiotp.exe -base-dir=C:/mutiotp/ -keep-local
-log -debug \"%{Tmp-String-0}\" \"%{User-Password}\""
        shell_escape = yes
}

Even if I change the User name to a Tmp_String-0 like this the output is
always the user name without the double quotes:
update request {
Tmp-String-0 := "%{User-Name}"
        }

In worst case I'll do the authorization from a small python script where
I'll be able to call the multiotp.exe with the properly quoted user name.

update control {
Auth-Type := `c:\Python27\python.exe freeauth.py %{User-Name}
%{User-Password}`
}

This is just an experiment - not so important. The main auth server is
3.0.13 - where there is no problem calling the multiotp with user names
containing space.
I presume the 4.0 cannot be compiled on windows.

Thank you!

On 6 May 2017 at 20:54, Alan DeKok <[hidden email]> wrote:

> On May 6, 2017, at 12:48 PM, Dudás Péter <[hidden email]> wrote:
> >
> > for running external script I have to quote the content of the User-Name
> > (via the Exec module).
> > So in case User-Name is John Doe (received from NPS) I want to have  it
> > like "John Doe".
> >
> > Tried:
> >   User-Name := "%{User-Name}"   # this is not working.
> >
> > Is there a way to do this?
>
>   Don't edit the User-Name in FreeRADIUS.  Instead, change the User-Name
> passed to the script.
>
>   Execute the program as:
>
>         /path/to/progran \"%{User-Name}\"
>
>   But saying what you've tried (NOT just one line), and providing the
> debug log would be useful, too.
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: add quote to User-Name

Alan DeKok-2
On May 6, 2017, at 3:27 PM, Dudás Péter <[hidden email]> wrote:=
>
> It is a way too complicated for the first sight.

 It shouldn't be too complicated.

> It is Windows based FreeRadius (2.2.10).

  Which isn't supported.  To be honest, if you got a Windows binary from somewhere, they're likely violating our license.

> And user names has a space between
> the First and Last Name, so needed to be double quoted otherwise it is
> handled as 2 parameters.
> (according to my knowledge it is not possible to insert a double quote
> between the \" \" sequence which is not deleted by the command interpreter).

  It is, you just have to be careful about it.

  And probably upgrade to v3, which has many other things fixed.

  And, don't have User-Names with spaces in them.  It's almost always a bad idea.

> exec multiotp {
>        wait = yes
>        input_pairs = request
>        output_pairs = reply
>        program = "../../multiotp.exe -base-dir=C:/mutiotp/ -keep-local
> -log -debug \"%{Tmp-String-0}\" \"%{User-Password}\""
>        shell_escape = yes
> }

  That should work.  If it doesn't, upgrade to v3.

> Even if I change the User name to a Tmp_String-0 like this the output is
> always the user name without the double quotes:
> update request {
> Tmp-String-0 := "%{User-Name}"
>        }

  That won't help.  You're just copying the name, not adding quotes.

> This is just an experiment - not so important. The main auth server is
> 3.0.13 - where there is no problem calling the multiotp with user names
> containing space.
> I presume the 4.0 cannot be compiled on windows.

  We've never supported Windows.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: add quote to User-Name

Dudás Péter
Thank you!

Winradius.eu made the Windows binaries - also their build bundled to the
Multiotp Windows installation howto.
This is why I tried to play with windows. As I said, our main radius server
is 3.0.13 already where all works as expected.

The main goal, that instead of Samba/Krb5/Ntlm authentication - I just have
an Idea to "Proxy-to-realm" to an NPS server the authentication request.
In case of Accept, the NPS sends back the necessary info (Filter-Id) which
was calculated by the Samba/KRB5/Ntlm.
This simplifies the whole Radius server installation as it is not necessary
to join to a domain (KRB init), Samba/Ntlm usage not needed - a simple
radius authentication can do all we need.
And after the radius auth, the Multiotp can handle the OTP code with a
Challenge-Response which is supported by the VPN we use.

Do yuo think there is a better way than Proxy-to-realm the auth request and
then run the challenge-response before the OTP auth?
(We use VPN where the auth type either Pap or MsChapV2)

Peter Dudas

On 7 May 2017 at 00:53, Alan DeKok <[hidden email]> wrote:

> On May 6, 2017, at 3:27 PM, Dudás Péter <[hidden email]> wrote:=
> >
> > It is a way too complicated for the first sight.
>
>  It shouldn't be too complicated.
>
> > It is Windows based FreeRadius (2.2.10).
>
>   Which isn't supported.  To be honest, if you got a Windows binary from
> somewhere, they're likely violating our license.
>
> > And user names has a space between
> > the First and Last Name, so needed to be double quoted otherwise it is
> > handled as 2 parameters.
> > (according to my knowledge it is not possible to insert a double quote
> > between the \" \" sequence which is not deleted by the command
> interpreter).
>
>   It is, you just have to be careful about it.
>
>   And probably upgrade to v3, which has many other things fixed.
>
>   And, don't have User-Names with spaces in them.  It's almost always a
> bad idea.
>
> > exec multiotp {
> >        wait = yes
> >        input_pairs = request
> >        output_pairs = reply
> >        program = "../../multiotp.exe -base-dir=C:/mutiotp/ -keep-local
> > -log -debug \"%{Tmp-String-0}\" \"%{User-Password}\""
> >        shell_escape = yes
> > }
>
>   That should work.  If it doesn't, upgrade to v3.
>
> > Even if I change the User name to a Tmp_String-0 like this the output is
> > always the user name without the double quotes:
> > update request {
> > Tmp-String-0 := "%{User-Name}"
> >        }
>
>   That won't help.  You're just copying the name, not adding quotes.
>
> > This is just an experiment - not so important. The main auth server is
> > 3.0.13 - where there is no problem calling the multiotp with user names
> > containing space.
> > I presume the 4.0 cannot be compiled on windows.
>
>   We've never supported Windows.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html