Anonymous | Login | 2024-10-04 01:36 EDT |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0001649 | PacketFence | 802.1x | public | 2013-06-05 10:15 | 2013-07-31 20:06 | |||
Reporter | dgreer | |||||||
Assigned To | fdurand | |||||||
Priority | normal | Severity | major | Reproducibility | always | |||
Status | resolved | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Product Version | devel | |||||||
Target Version | Fixed in Version | |||||||
Summary | 0001649: Problems returning role information from pf::authentication::match | |||||||
Description | There are actually several things going on here (I think). First, in logging, there is a logic error in an if statement. Here's the diff: --- authentication.pm.orig 2013-06-05 07:43:17.390616523 -0500 +++ authentication.pm 2013-06-05 07:43:34.957616501 -0500 @@ -465,7 +465,7 @@ return undef; } - if (defined $action) { + if (! defined $action) { $logger->debug("No source matches action $action"); } else { $logger->debug("Returning actions ".join(', ', map { $_->type." = ".$_->value } @$actions )); Once that was found and fixed, I was able to see that I was getting matches but no returns. Have been staring at the code for quite a while, and can't figure this out. I added a debugging logging entry in the "foreach my $condition..." in Authentication/Source.pm so I could see what was being looked at, and I can see that all my conditions are being hit, but even when I've set one to specifically to match it fails to to return any actions (or, apparently to match). Here's the log entries: Jun 05 08:56:07 pf::WebAPI(24234) WARN: switch = pf::SNMP::Motorola::RFS=HASH(0x7fa24f9d9340), ifIndex = 1, mac = 00:22:fb:56:9d:3c, node_info = HASH(0x7fa24f9ddb00), conne ction_type = Wireless-802.11-EAP, user_name = DPTLABS_NT\\dgreer, ssid = BasicEmployees (pf::vlan::getNormalVlan) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Trying to determine VLAN from role. (pf::vlan::getNormalVlan) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::au thentication::match) Jun 05 08:56:07 pf::WebAPI(24234) WARN: Match called with parameters SSID => BasicEmployees, connection_type => Wireless-802.11-EAP, username => DPTLABS_NT\\dgreer (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source local (SQL) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source local (SQL) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) TRACE: attempt #0 to run query temporary_password_view_sql from module temporary_password (pf::db::db_query_execute) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Database statements not prepared, preparing... (pf::db::db_query_execute) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Preparing pf::temporary_password database queries (pf::temporary_password::temporary_password_db_prepare) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source file1 (Htpasswd) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition username equals admin (pf::Authentication::Source::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Checking condition sAMAccountName equals DPTLABS_NT\\dgreer (pf::Authentication::Source::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=DPTLABS_NT\\dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Returning actions (pf::authentication::match) Jun 05 08:56:07 pf::WebAPI(24234) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3bd0) (pf::vlan::getNormalVlan) Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = ARRAY(0x7fa24f9f3bd0) (pf::SNMP::getVlanByName) Jun 05 08:56:07 pf::WebAPI(24234) WARN: No parameter ARRAY(0x7fa24f9f3bd0)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName) Jun 05 08:56:07 pf::WebAPI(24234) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode) Jun 05 08:56:07 pf::WebAPI(24234) WARN: vlanName = macDetection (pf::SNMP::getVlanByName) Jun 05 08:56:07 pf::WebAPI(24234) INFO: MAC: 00:22:fb:56:9d:3c, PID: dgreer, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Using CentOS 6.4 with updates. Using packetfence-4.0.2-0.20130529.el6.noarch.rpm (and friends) | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | ||||||||
Attached Files | ||||||||
Notes | |
(0003315) fdurand (administrator) 2013-06-05 10:32 |
I fact your username doesn´t match with the sAMAccountName of your active directory (i suppose) it should be something like that dgreer and not DPTLABS_NT\\dgreer. So to fix this issue, just have a look there: https://github.com/inverse-inc/packetfence/blob/devel/raddb/sites-available/packetfence-tunnel [^] In the post section we rewrite the User-Name attribute to match with AD. |
(0003316) francis (administrator) 2013-06-05 10:38 |
@dgreer: Your patch is incorrect. There's no error in the logic to print the debugging information. |
(0003317) dgreer (reporter) 2013-06-05 12:04 |
Thanks. I'll take a look at the patch (and roll back my change :^). |
(0003318) dgreer (reporter) 2013-06-05 12:13 |
Ok, made those changes. I'm getting a return now, but it's returning an array where (I think) an string is required. Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match) Jun 05 11:06:39 pf::WebAPI(24235) WARN: Matching rules for action set_role in source ad1 (AD) (pf::authentication::match) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Checking condition sAMAccountName equals dgreer (pf::Authentication::Source::match) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Matching rules in LDAP source. (pf::Authentication::Source::LDAPSource::match_in_subclass) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: LDAP filter: (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)) (pf::Authentication::Source::LDAPSource::match_in_subcla ss) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Searching for (&(sAMAccountName=DPTLABS_NT\\dgreer)(sAMAccountName=dgreer)), from DC=dpt,DC=DFB,DC=NET, with scope one (pf::Authent ication::Source::LDAPSource::match_in_subclass) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Returning actions (pf::authentication::match) Jun 05 11:06:39 pf::WebAPI(24235) DEBUG: Username was defined (DPTLABS_NT\\dgreer) - got role ARRAY(0x7fa24f9f3b00) (pf::vlan::getNormalVlan) Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = ARRAY(0x7fa24f9f3b00) (pf::SNMP::getVlanByName) Jun 05 11:06:39 pf::WebAPI(24235) WARN: No parameter ARRAY(0x7fa24f9f3b00)Vlan found in conf/switches.conf for the switch 192.168.99.3 (pf::SNMP::getVlanByName) Jun 05 11:06:39 pf::WebAPI(24235) WARN: Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode) Jun 05 11:06:39 pf::WebAPI(24235) WARN: vlanName = macDetection (pf::SNMP::getVlanByName) The actsion are: Set role : default Set unregistration date : 2020-01-01 |
(0003319) dgreer (reporter) 2013-06-05 12:53 |
Ok, looks like I forgot to restart PF after undoing the change to authentication.pm. The ARRAY thing goes away once I stop being stupid, but I'm getting "No source matches action set_role" when I have such an entry. |
(0003326) dgreer (reporter) 2013-06-14 14:26 |
This was a problem with my configuration: I had an incorrect SNMP config on the device I was using to test the wireless auth stuff. Derek caught this. You can close this ticket. |
Issue History | |||
Date Modified | Username | Field | Change |
2013-06-05 10:15 | dgreer | New Issue | |
2013-06-05 10:32 | fdurand | Note Added: 0003315 | |
2013-06-05 10:38 | francis | Note Added: 0003316 | |
2013-06-05 12:04 | dgreer | Note Added: 0003317 | |
2013-06-05 12:13 | dgreer | Note Added: 0003318 | |
2013-06-05 12:53 | dgreer | Note Added: 0003319 | |
2013-06-14 14:26 | dgreer | Note Added: 0003326 | |
2013-07-31 20:06 | fdurand | Status | new => resolved |
2013-07-31 20:06 | fdurand | Resolution | open => fixed |
2013-07-31 20:06 | fdurand | Assigned To | => fdurand |
Copyright © 2000 - 2012 MantisBT Group |