[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] username-as-common-name
|
From: |
Ralf Lübben |
|
Subject: |
Re: [Radiusplugin-users] username-as-common-name |
|
Date: |
Mon, 29 Aug 2011 17:26:43 +0200 |
|
User-agent: |
KMail/1.13.6 (Linux/2.6.38-11-generic; KDE/4.6.2; i686; ; ) |
Hi,
the CVS version has a similar fix, can you try it?
Ralf
Am Sonntag, 28. August 2011, 20:29:01 schrieb Dequan:
> Sorry that I keep posting over myself, but my proposed fix of swapping the
> if statements to ensure:
>
> user->setCommonname ( get_env ( "common_name", envp ) );
>
> is run before
>
> user->setCommonname ( get_env ( "username", envp ) );
>
> is working and allows proper accounting functioning of
> username-as-common-name.
>
> Below is a link to a diff which hopefully you may find useful.
>
> http://pastebin.com/98L6JzbZ
>
> Thanks Ralf.
>
> -----Original Message-----
> From: Dequan [mailto:address@hidden
> Sent: 28 August 2011 18:02
> To: address@hidden
> Subject: RE: username-as-common-name
>
> From the log output, I am assuming that the common name isn't being
> rewritten as the username -- as the StatusFileKey still refers to the
> certificate common name and not the username for accounting updates.
>
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:
> Scheduler: Update for User phantomkevin.
> ...
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No
> accounting data was found for bob, 114.91.48.36:2671.
>
> Having a quick look for radiusplugin.cpp, I see the section relating to
> getUsernameAsCommonname:
>
> //rewrite the username if OpenVPN use the option
> username-as-comon-name
> if ( context->conf.getUsernameAsCommonname() == true )
> {
> if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
> user->setCommonname ( get_env ( "username", envp ) );
> }
> if ( get_env ( "common_name", envp ) !=NULL )
> {
> user->setCommonname ( get_env ( "common_name", envp ) );
> }
>
> Out of curiosity, should these 2 IFs not be the other way around like so?
>
> if ( get_env ( "common_name", envp ) !=NULL )
> {
> user->setCommonname ( get_env ( "common_name", envp ) );
> }
> if ( context->conf.getUsernameAsCommonname() == true )
> {
> if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
> user->setCommonname ( get_env ( "username", envp ) );
> }
>
> Surely the first code snippet would always end up setting the common name
> as the certificate common name, even if getUsernameAsCommonname() == true?
> Unless this was deliberate because OpenVPN does something odd -- like not
> set the common name if username-as-common-name is set in the config file?
>
>
> -----Original Message-----
> From: Dequan [mailto:address@hidden
> Sent: 28 August 2011 17:19
> To: address@hidden
> Subject: username-as-common-name
>
> Hi Ralf,
>
> I have set my OpenVPN server to use --duplicate-cn and
> --username-as-common-name, however Radiusplugin still tries to get
> accounting packets under the certificate common name.
>
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
> Username
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> 114.91.48.36:2671.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
> username: Sun Aug 28 17:04:59 2011 us=99952 114.91.48.36:2671 Client
> random2: db1d02c5 8179dd65 7daf5d38 bbcfcfe3 e4365c24 dd9bfc41 92b9d89d
> 08ecf979
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: New user auth:
> username: phantomkevin, password: *****, calling station: 114.91.48.36,
> commonname: bob.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: radius_server().
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Build password packet: password:
> *****, sharedSecret: *****.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Send packet to 127.0.0.1.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: parse_response_packet().
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim
> Interval: 60.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Client config file was not
> written, overwriteccfiles is false
> .Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUNDRADIUS-PLUGIN:
> FOREGROUND THREAD: Authentication succeeded!
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received routes
> for user: .
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received framed
> ip for user: .
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Receive
> acctinteriminterval 60 sec from backgroundprocess.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to
> map.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Write 1 to auth_control_file
> /tmp/openvpn/ifconfig/openvpn_acf_8b7a7f29b1867a8a8ac789de86e93ae2.tmp.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for new
> user.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
> OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
> Username
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> 114.91.48.36:2671.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to the IP
> (10.100.0.5) OpenVPN assigned to the user phantomkevin
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
> accounting: username: phantomkevin, commonname: bob
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct:
> username: phantomkevin, interval: 60, calling station: 114.91.48.36,
> commonname: bob, framed ip: 10.100.0.5.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> ACCOUNTING_RESPONSE-Packet.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Start packet was
> send.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: User was added to
> accounting scheduler.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: No routes for
> user.
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Accounting succeeded!
>
> As you may be able to see, radiusplugin correctly detects
> username-as-common-name, however when adding the user to accounting, it
> still uses commonname = bob:
>
> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
> accounting: username: phantomkevin, commonname: bob
>
> This results in the log file filling up with accounting requests such as
> the below:
>
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler: Update
> for User phantomkevin.
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler: Read
> Statusfile.
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No accounting
> data was found for bob, 114.91.48.36:2671.
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> ACCOUNTING_RESPONSE-Packet.
> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler: Update
> packet for User phantomkevin was send.
>
> Which shows that it is trying to look up accounting data of the
> certificate common name -- bob, not the common on name -- phantomkevin in
> this example.
>
> I am using the latest version -- radiusplugin_v2.1a_beta1 with the
> following settings:
>
> Overwriteccfiles=true
> Useauthcontrolfile=true
> Accountingonly=false
> Nonfatalaccounting=false
>
> Any idea what is causing this?
>
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users