Hi community,
with help of Roland Hedberg's freeradius_pysaml2 module (not using ECP)
for freeradius server we managed to use a Shibboleth IdP to deliver
attributes for authorization. But the received SAML assertion is not
forwarded from freeradius server back to requesting service (e.g. SSHD).
We configured freeradius server to use freeradius_pysaml2 in inner
authentication loop, because username is available there. So the IdP is
enabled to retrieve appropriate authZ attributes of user and return a
corresponding SAML assertion. But the assertion is not sent back from
inner authentication loop.
We configured freeradius server to use freeradius_pysaml2 in outer
authentication loop, because the SAML assertion is supposed to be sent
back there. But in outer authentication loop username is not available,
so IdP is not enabled to retrieve appropriate authZ attributes of user
and return a corresponding SAML assertion.
Maybe there are some tricks to copy received SAML assertion from inner
to outer authentication loop, but afawk this approach would violate the
intention of RADIUS protocol. Maybe you should change GSS/EAP
specification to send username (beside host and service information) for
outer authentication as well.
Best regards,
Markus, Daniel & Jacob
On 11/22/2011 12:14 PM, Brian Abram wrote:
> slap head
>
> the identifier for the braces in the module file is also the module
> name right?
>
>
>
> Brian Abram wrote:
>> I have just tried to add a python module to freeradius,
>> but I can't see exactly what I have done wrong:
>>
>> : Error: /etc/raddb/sites-enabled/inner-tunnel[293]: Failed to load
>> module "python_saml2_ecp".
>>
>> Does the above error mean:
>>
>> a) can't read the file
>> b) can read the file but don't like the contents
>> c) happy with syntax but can't follow the directives
>> ?
>>
>> Debugging...
>>
>> I called the module: python_saml2_ecp
>> ---------------------------------
>> radius debugging ...
>> <<snip>>
>> including configuration file /etc/raddb/modules/ippool
>> including configuration file
>> /etc/raddb/modules/python_saml2_ecp
>> including configuration file /etc/raddb/modules/smbpasswd
>>
>> --------------------------------
>> /etc/raddb/modules/
>>
>>
>> -rw-r-----. 1 root radiusd 1661 Oct 11 14:08 preprocess
>> -rw-r-----. 1 root radiusd 227 Nov 18 11:58 python_saml2_ecp
>> -rw-r-----. 1 root radiusd 1510 Oct 11 14:08 radutmp
>>
>> --------------------------------
>> [root@sci-ws006 ~]# locate -i python | grep -i site | grep -i radius
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/freeradius_aa.py
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/freeradius_aa.pyc
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/freeradius_ecp.py
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/freeradius_ecp.pyc
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/radiusd.py
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/radiusd.pyc
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO/PKG-INFO
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO/SOURCES.txt
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO/dependency_links.txt
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO/not-zip-safe
>>
>> /usr/lib/python2.6/site-packages/freeradius_pysaml2-0.0.6-py2.6.egg/EGG-INFO/top_level.txt
>>
>> /usr/lib/python2.6/site-packages/sos/plugins/radius.py
>> /usr/lib/python2.6/site-packages/sos/plugins/radius.pyc
>> /usr/lib/python2.6/site-packages/sos/plugins/radius.pyo
>>
>> --------------------------------
>> [abram@sci-ws006 ~]$ sudo cat
>> /etc/raddb/modules/python_saml2_ecp
>> # -*- text
>> -*-
>> #
>>
>> #
>> $Id$
>>
>>
>> # Persistent, embedded Python interpreter.
>> # python
>> { mod_instantiate =
>> "freeradius_ecp" func_instantiate = "instantiate"
>> mod_post_auth= "freeradius_ecp" func_post_auth=
>> "post_auth" }
>> --------------------------------
>>
>> radiusd: #### Instantiating modules
>> #### instantiate
>> {
>>
>> Module: Linked to module
>> rlm_exec
>> Module: Instantiating module "exec" from file
>> /etc/raddb/modules/exec exec
>> {
>>
>> wait =
>> no
>>
>> input_pairs =
>> "request"
>> shell_escape =
>> yes
>> } <<snip>>
>>
>>
>>
>> Module: Linked to module rlm_radutmp
>> Module: Instantiating module "radutmp" from file
>> /etc/raddb/modules/radutmp
>> radutmp {
>> filename = "/var/log/radius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> perm = 384
>> callerid = yes
>> }
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> /etc/raddb/sites-enabled/inner-tunnel[293]: Failed to load module
>> "python_saml2_ecp".
>> /etc/raddb/sites-enabled/inner-tunnel[262]: Errors parsing post-auth
>> section.
>>
>>
|