Got it figured out, just had to do a few datadumpers and dig a bit to find
where to get at the stripped_user_name inside the firewallsso.pm. Here are
my notes in case anyone else needs to do this in pf7+:
sso modules have been rebuilt under golang and require compilation if you
customize them. The handoff to the sso modules is still perl however, so
instead of modifying the iboss module just modify the /usr/local/pf/lib/pf/
firewallsso.pm
add in the following 'my $nodeloc' line:
(already there) my $mac = pf::util::clean_mac($postdata{mac});
(already there) my $node = pf::node::node_attributes($mac);
(add this) my $nodeloc =
pf::locationlog::locationlog_last_entry_mac($mac);
update the logger line to include the stripped name:
$logger->info("Sending a firewall SSO '$postdata{method}' request for
MAC '$mac' and IP '$postdata{ip}' for user
'$nodeloc->{stripped_user_name}'");
and modify the username field to refer to nodeloc->{stripped_user_name}
instead of node->{pid}:
pf::api::jsonrestclient->new(
proto => "http",
host => "localhost",
port => $pf::constants::api::PFSSO_PORT,
)->call("/pfsso/".lc($postdata{method}), {
ip => $postdata{ip},
mac => $mac,
# All values must be string for pfsso
timeout => $postdata{timeout}."",
role => $node->{category},
username => $nodeloc->{stripped_user_name},
});
On Mon, Sep 18, 2017 at 2:49 PM, Gary Stansbury <[email protected]>
wrote:
> Great! I got the go environment built and recompiled pfhttpd, and packet
> traces show me that we are now *not* sending the &g= at the end, and my
> iboss's are therefore performing ldap lookups for group memberships as
> desired:
>
> 14:39:09.120909 IP (tos 0x0, ttl 64, id 48034, offset 0, flags [DF], proto
> TCP (6), length 330)
> 10.1.1.87.43322 > 10.1.1.252.8015: Flags [P.], cksum 0x1891 (incorrect
> -> 0xa8c6), seq 0:278, ack 1, win 229, options [nop,nop,TS val 778109 ecr
> 173754786], length 278
> E..J..@[email protected].
> ..W
> ....:.O._d.].q............
> ...}
> [I.GET /nacAgent?action=login&user=lowed&dc=Packetfence&key=
> XS832CF2A&ip=172.16.96.56&cn=lowed HTTP/1.1
> Host: 10.1.1.252:8015
> User-Agent: Go-http-client/1.1
> Content-Length: 27
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip
>
>
> However, now I'm seeing another problem I had to fix before in the perl:
> some users connect as DOMAIN\username when on pc's vs the same users
> connecting with stripped username on a mobile device. The iBoss expects to
> see stripped username. In pre-7.x days I was fixing this up here:
>
> /usr/local/pf/lib/pf/firewallsso/Iboss.pm from
>
> my $username = $node_info->{'last_dot1x_username'};
> to
> my $username = $node_info->{'stripped_user_name'};
>
>
> and it was working well, but I don't know what RADIUS attributes are being
> passed to the iboss.go. Where should I look to see if I have access to the
> 'stripped_user_name' attribute?
>
> Thanks,
>
> Gary
>
>
> On Mon, Sep 18, 2017 at 11:15 AM, Louis Munro via PacketFence-users <
> [email protected]> wrote:
>
>> Indeed, Go is a compiled language like C.
>>
>> You will have to use the go compiler to recompile that file.
>> It should not be too hard once you get the hang of it.
>>
>> Take a look at /usr/local/pf/go/README.md.
>>
>> Regards,
>> --
>> Louis Munro
>> [email protected] :: www.inverse.ca
>> +1.514.447.4918 x125 <(514)%20447-4918> :: +1 (866) 353-6153 x125
>> <(866)%20353-6153>
>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
>> www.packetfence.org)
>>
>> On Sep 18, 2017, at 10:44, Gary Stansbury via PacketFence-users <
>> [email protected]> wrote:
>>
>>
>>
>> Pre 7.0 I was able to modify /usr/local/pf/lib/pf/firewallsso/Iboss.pm
>> and remove the "&g=" part from the end of the http request packetfence
>> builds to notify our iBoss devices of SSO events. This is necessary for us
>> because we want the iboss to query ldap based on username to determine what
>> groups a user is a member of instead of relying on the packetfence "role",
>> which we currently just use to determine which SSID someone has connected
>> to.
>>
>> I see that in 7.0+ a lot of the SSO stuff has been converted from perl to
>> golang, and I'm entirely unfamiliar with it. I made the similar change in
>>
>> /usr/local/pf/go/firewallsso/iboss.go
>>
>> func (fw *Iboss) getRequest(ctx context.Context, action string, info
>> map[string]string) (*http.Request, error) {
>> req, err := http.NewRequest(
>> "GET",
>> fmt.Sprintf(
>> "http://%s:%s/nacAgent?action=
>> %s&user=%s&dc=%s&key=%s&ip=%s&cn=%s&g=%s",
>> fw.PfconfigHashNS,
>> fw.Port,
>> action,
>> info["username"],
>> fw.NacName,
>> fw.Password,
>> info["ip"],
>> info["username"],
>> info["role"],
>> ), bytes.NewBufferString("query=libwww-perl&mode=dist"),
>>
>> removed the &g portions:
>>
>> func (fw *Iboss) getRequest(ctx context.Context, action string, info
>> map[string]string) (*http.Request, error) {
>> req, err := http.NewRequest(
>> "GET",
>> fmt.Sprintf(
>> "http://%s:%s/nacAgent?action=
>> %s&user=%s&dc=%s&key=%s&ip=%s&cn=%s",
>> fw.PfconfigHashNS,
>> fw.Port,
>> action,
>> info["username"],
>> fw.NacName,
>> fw.Password,
>> info["ip"],
>> info["username"],
>> ), bytes.NewBufferString("query=libwww-perl&mode=dist"),
>>
>> but no amount of configreloading or restarting services seems to make it
>> want to re-read that updated go file. Is there some compiling I must do to
>> regenerate this firewallsso package?
>>
>> Thanks,
>>
>> --
>> Gary Stansbury
>> Network Engineer
>> Troup County Board of Education, LaGrange, GA
>> 706-594-3928 <(706)%20594-3928>
>>
>>
>>
>> --
>> Gary Stansbury
>> Network Engineer
>> Troup County Board of Education, LaGrange, GA
>> 706-594-3928 <(706)%20594-3928>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Gary Stansbury
> Network Engineer
> Troup County Board of Education, LaGrange, GA
> 706-594-3928 <(706)%20594-3928>
>
--
Gary Stansbury
Network Engineer
Troup County Board of Education, LaGrange, GA
706-594-3928
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
