Hello,
when I was trying to do something very similar for our prototype, I had
to face the same problem. I did not make use of the freeradius-pysaml
code. Instead I made use the pysaml library directly. So I had to make
the assertion splitting myself.
This is the code I wrote in Freeradius to split the saml assertion
(assertion and assertionLen variables) into multiple RADIUS attributes.
As you can see, FreeRadius defines a constant MAX_STRING_LEN, whose
value is 254. I first tried to use that value as the attribute length,
but it failed in a very similar way to what you described in your first
mail. I had then to use a smaller value (MAX_STRING_LEN - 1) to make it
work.
int position = 0;
for (position=0; position < assertionLen; position +=
MAX_STRING_LEN - 1){
int size_to_use = MIN(assertionLen - position,
MAX_STRING_LEN - 1);
vp = pairmake("SAML-Assertion", "", T_OP_EQ);
memcpy(vp->vp_octets, &assertion[position], size_to_use);
vp->length = size_to_use ;
pairadd(&(request->reply->vps), vp);
}
I do not know the reason, but it seems to be a FreeRadius issue (maybe
it includes a \0 in all attributes, specially if they are defined as
String in the dictionary). Hope this helps something.
Regards,
Alejandro
> Good point. I'll do that tomorrow. Will know for sure then - if it is coming in complete then I guess something in the moonshot code is truncating>247...
>
>
> ----- Original Message -----
> From: Adam Bishop [[log in to unmask]]
> Sent: 28/10/2011 23:00 GMT
> To: Moonshot community list<[log in to unmask]>; Rhys Smith
> Subject: Re: Problem in moonshot parsing of SAML-AAA-Assertion?
>
>
>
> If it is truncated in transit the message authenticator wouldn't validate - could run a TCP dump on the client side to see the packets incoming to confirm.
>
> Adam
>
> On 28 Oct 2011, at 23:57, Rhys Smith wrote:
>
>> Would the behaviour I saw be explained by this? I.e. Raw tcpdump showing the saml complete as it leaves - but missing final char when arriving at the other end - so during the actual radius transport it's being truncated?
>>
>>
>> ----- Original Message -----
>> From: Luke Howard [[log in to unmask]]
>> Sent: 29/10/2011 09:41 ZE11
>> To: Rhys Smith
>> Cc: Moonshot community list<[log in to unmask]>
>> Subject: Re: Problem in moonshot parsing of SAML-AAA-Assertion?
>>
>>
>>
>>
>> On 29/10/2011, at 9:39 AM, Rhys Smith wrote:
>>
>>> OK, weird (in a good way, I guess) - when I've set it down as low as 200 it seems to work fine...
>> :-)
>>
>> I don't know where the bug is occurring unfortunately; I too was trying to work around it in order to test something else.
>>
>> -- Luke
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
|