rlm_perl script

1. #!/usr/bin/perl -w
2.  
3. use strict;
4. use warnings;
5.  
6. use Net::LDAP;
7.  
8. # use ...
9. use Data::Dumper;
10.  
11. # Bring the global hashes into the package scope
12. our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK);
13.  
14. #
15. # This the remapping of return values
16. #
17. use constant {
18.         RLM_MODULE_REJECT   => 0, # immediately reject the request
19.         RLM_MODULE_FAIL     => 1, # there was a script failure
20.         RLM_MODULE_OK       => 2, # the module is OK, continue
21.         RLM_MODULE_HANDLED  => 3, # the module handled the request, so stop
22.         RLM_MODULE_INVALID  => 4, # the module considers the request invalid
23.         RLM_MODULE_USERLOCK => 5, # reject the request (user is locked out)
24.         RLM_MODULE_NOTFOUND => 6, # user not found
25.         RLM_MODULE_NOOP     => 7, # module succeeded without doing anything
26.         RLM_MODULE_UPDATED  => 8, # OK (pairs modified)
27.         RLM_MODULE_NUMCODES => 9  # How many return codes there are
28. };
29.  
30. # Same as src/include/radiusd.h
31. use constant    L_DBG=>   1;
32. use constant    L_AUTH=>  2;
33. use constant    L_INFO=>  3;
34. use constant    L_ERR=>   4;
35. use constant    L_PROXY=> 5;
36. use constant    L_ACCT=>  6;
37.  
38. # Function to handle authenticate
39. sub authenticate { return RLM_MODULE_NOOP; }
40. # Function to handle detach
41. sub detach { return RLM_MODULE_NOOP; }
42. # Function to handle preacct
43. sub preacct { return RLM_MODULE_NOOP; }
44. # Function to handle accounting
45. sub accounting { return RLM_MODULE_NOOP; }
46. # Function to handle checksimul
47. sub checksimul { return RLM_MODULE_NOOP; }
48. # Function to handle pre_proxy
49. sub pre_proxy { return RLM_MODULE_NOOP; }
50. # Function to handle post_proxy
51. sub post_proxy { return RLM_MODULE_NOOP; }
52. # Function to handle post_auth
53. sub post_auth { return RLM_MODULE_NOOP; }
54. # Function to handle xlat
55. sub xlat { return RLM_MODULE_NOOP }
56.  
57. sub log_request_attributes {
58.         # This shouldn't be done in production environments!
59.         # This is only meant for debugging!
60.         for (keys %RAD_REQUEST) {
61.                 &radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
62.         }
63. }
64.  
65. sub authorize {
66.         &log_request_attributes( );
67.         my $username = $RAD_REQUEST{'User-Name'};
68.  
69.         if ( $username eq 'nagios' ) {
70.                 return RLM_MODULE_OK;
71.         }
72.  
73.         my $realm = undef;
74.         my $authtype = 'System';
75.         my $mesg = undef;
76.  
77.         my $ldap = Net::LDAP->new( 'ldapi://' ) or return RLM_MODULE_FAIL;
78.  
79.         $mesg = $ldap->bind( );
80.         $mesg->code && $ldap->disconnect( ) && return RLM_MODULE_FAIL;
81.  
82.         my $base = 'ou=netgroups,dc=example,dc=com';
83.         my $attrs = ['dn'];
84.  
85.         # Check for YubiKey
86.         my $filter = "(&(objectClass=nisNetgroup)(cn=yubikey)(nisNetgroupTriple=\\(,$username,\\)))";
87.         my $result = $ldap->search( base=> "$base", scope => "sub", filter => "$filter", attrs => "$attrs" );
88.         $result->code && $ldap->unbind( ) && $ldap->disconnect( ) && return RLM_MODULE_FAIL;
89.  
90.         if ( $result->count( ) >= 1 )
91.         {
92.                 $realm = 'yubiauth.example.com';
93.                 my $realm_user = "$username\@$realm";
94.                 &radiusd::radlog( 1, "Changing User-Name: $realm_user" );
95.                 $RAD_REQUEST{'User-Name'} = $realm_user;
96.                 $RAD_REQUEST{'Stripped-User-Name'} = $username;
97.                 $RAD_REQUEST{'Auth-Type'} = $authtype;
98.                 $ldap->unbind( ) && $ldap->disconnect( );
99.                 return RLM_MODULE_UPDATED;
100.         }
101.  
102.         # We can't proxy this user
103.         return RLM_MODULE_NOOP;
104. }