PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001649PacketFence802.1xpublic2013-06-05 10:152013-07-31 20:06
Reporterdgreer 
Assigned Tofdurand 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Versiondevel 
Target VersionFixed in Version 
Summary0001649: Problems returning role information from pf::authentication::match
DescriptionThere are actually several things going on here (I think).

First, in logging, there is a logic error in an if statement. Here's the diff:

--- authentication.pm.orig 2013-06-05 07:43:17.390616523 -0500
+++ authentication.pm 2013-06-05 07:43:34.957616501 -0500
@@ -465,7 +465,7 @@
         return undef;
     }

- if (defined $action) {
+ if (! defined $action) {
         $logger->debug("No source matches action $action");
     } else {
         $logger->debug("Returning actions ".join(', ', map { $_->type." = ".$_->value } @$actions ));


Once that was found and fixed, I was able to see that I was getting matches but no returns. Have been staring at the code for quite a while, and can't figure this out. I added a debugging logging entry in the "foreach my $condition..." in Authentication/Source.pm so I could see what was being looked at, and I can see that all my conditions are being hit, but even when I've set one to specifically to match it fails to to return any actions (or, apparently to match).

Here's the log entries:

Jun 05 08:56:07 pf::WebAPI(24234) WARN: switch = pf::SNMP::Motorola::RFS=HASH(0x7fa24f9d9340), ifIndex = 1, mac = 00:22:fb:56:9d:3c, node_info = HASH(0x7fa24f9ddb00), conne
ction_type = Wireless-802.11-EAP, user_name = DPTLABS_NT\\dgreer, ssid = BasicEmployees (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Trying to determine VLAN from role. (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::au
thentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source local (SQL) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source local (SQL) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) TRACE: attempt #0 to run query temporary_password_view_sql from module temporary_password (pf::db::db_query_execute)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Database statements not prepared, preparing... (pf::db::db_query_execute)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Preparing pf::temporary_password database queries (pf::temporary_password::temporary_password_db_prepare)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition username equals admin (pf::Authentication::Source::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition sAMAccountName equals DPTLABS_NT\\dgreer (pf::Authentication::Source::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Returning actions (pf::authentication::match)
Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3bd0) (pf::vlan::getNormalVlan)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = ARRAY(0x7fa24f9f3bd0) (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: No parameter ARRAY(0x7fa24f9f3bd0)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = macDetection (pf::SNMP::getVlanByName)
Jun 05 08:56:07 pf::WebAPI(24234) INFO: MAC: 00:22:fb:56:9d:3c, PID: dgreer, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)

Using CentOS 6.4 with updates.
Using packetfence-4.0.2-0.20130529.el6.noarch.rpm (and friends)
TagsNo tags attached.
fixed in git revision
fixed in mtn revision
Attached Files

- Relationships

-  Notes
(0003315)
fdurand (administrator)
2013-06-05 10:32

I fact your username doesn´t match with the sAMAccountName of your active directory (i suppose) it should be something like that dgreer and not DPTLABS_NT\\dgreer.
So to fix this issue, just have a look there:
https://github.com/inverse-inc/packetfence/blob/devel/raddb/sites-available/packetfence-tunnel [^]
In the post section we rewrite the User-Name attribute to match with AD.
(0003316)
francis (administrator)
2013-06-05 10:38

@dgreer: Your patch is incorrect. There's no error in the logic to print the debugging information.
(0003317)
dgreer (reporter)
2013-06-05 12:04

Thanks. I'll take a look at the patch (and roll back my change :^).
(0003318)
dgreer (reporter)
2013-06-05 12:13

Ok, made those changes. I'm getting a return now, but it's returning an array where (I think) an string is required.

Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Checking condition sAMAccountName equals dgreer (pf::Authentication::Source::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subcla
ss)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authent
ication::Source::LDAPSource::match_in_subclass)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Returning actions (pf::authentication::match)
Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3b00) (pf::vlan::getNormalVlan)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = ARRAY(0x7fa24f9f3b00) (pf::SNMP::getVlanByName)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: No parameter ARRAY(0x7fa24f9f3b00)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)
Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = macDetection (pf::SNMP::getVlanByName)


The actsion are:
Set role : default
Set unregistration date : 2020-01-01
(0003319)
dgreer (reporter)
2013-06-05 12:53

Ok, looks like I forgot to restart PF after undoing the change to authentication.pm.

The ARRAY thing goes away once I stop being stupid, but I'm getting "No source matches action set_role" when I have such an entry.
(0003326)
dgreer (reporter)
2013-06-14 14:26

This was a problem with my configuration: I had an incorrect SNMP config on the device I was using to test the wireless auth stuff. Derek caught this.

You can close this ticket.

- Issue History
Date Modified Username Field Change
2013-06-05 10:15 dgreer New Issue
2013-06-05 10:32 fdurand Note Added: 0003315
2013-06-05 10:38 francis Note Added: 0003316
2013-06-05 12:04 dgreer Note Added: 0003317
2013-06-05 12:13 dgreer Note Added: 0003318
2013-06-05 12:53 dgreer Note Added: 0003319
2013-06-14 14:26 dgreer Note Added: 0003326
2013-07-31 20:06 fdurand Status new => resolved
2013-07-31 20:06 fdurand Resolution open => fixed
2013-07-31 20:06 fdurand Assigned To => fdurand


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker