Issue with umlauts and freeradius / pi

Hey there!

I’ve got a annoying problem here with FreeRadius and PrivacyIDEA:

Local AD has usernames with umlauts. FreeRadius will send them encoded to PI. PI is unable to find the corresponding user in any realm

radius.log

Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Debugging config: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Default URL https://localhost/validate/check 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Looking for config for auth-type Perl
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Password encoding guessed: ascii
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Setting client IP to 192.168.0.12.
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Auth-Type: Perl
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: url: https://localhost/validate/check
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: user sent to privacyidea: G%C3%83%C2%B6the
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: realm sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: resolver sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: client sent to privacyidea: 192.168.0.12
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: state sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam client  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam pass  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam user  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Request timeout: 10 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Not verifying SSL certificate!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: elapsed time for privacyidea call: 0.549382
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA Result status is false!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: ERR904: The user can not be found in any resolver in this realm!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA failed to handle the request
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: return RLM_MODULE_NOTFOUND

But according to PI.log, the user was found indeed:

privacyidea.log

!!!Log Entry Secured by SecureFormatter!!! [2022-07-27 08:27:22,539][693832][140139410347904][INFO][privacyidea.lib.user:252] user 'G.the' found in resolver 'testdc01'
[2022-07-27 08:27:22,539][693832][140139410347904][INFO][privacyidea.lib.user:254] userid resolved to '243de5b4-42de-4838-be2c-30a28cccad49' 

Removing umlauts is not an option.

I don’t know, in which part the things gets messed up - maybe someone already had the same issue here and found a solution?

Edit:

locales seems to be correct:

> locale
LANG=de_DE.UTF-8
LANGUAGE=
LC_CTYPE="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_PAPER="de_DE.UTF-8"
LC_NAME="de_DE.UTF-8"
LC_ADDRESS="de_DE.UTF-8"
LC_TELEPHONE="de_DE.UTF-8"
LC_MEASUREMENT="de_DE.UTF-8"
LC_IDENTIFICATION="de_DE.UTF-8"
LC_ALL=

Edit2:

G%C3%83%C2%B6the

looks like a Windows-1252 / UTF-8 (double)-misconversion. Is this a bug?

UTF-8 bytes should be “%C3%B6” → “ö”

@cornelinux
Please take a look at privacyidea_radius.pm:

442: $params{"user"} = $uri->encode($params{"user"});

URI::Encode will mess up the username.

Added some “Debug” output to this module:

	&radiusd::radlog( Info, "Username before Encoding: $params{'user'}" );
    $params{"user"} = $uri->encode($params{"user"});
	&radiusd::radlog( Info, "Username after Encoding: $params{'user'}" );
Wed Jul 27 14:32:02 2022 : Info: rlm_perl: Username before Encoding: Göthe
Wed Jul 27 14:32:02 2022 : Info: rlm_perl: Username after Encoding: G%C3%83%C2%B6the

Hacky solution for me was to comment out line 442. It looks like validate/check could handle the request without the need for encoding.

Which version of privacyIDEA and the FreeRADIUS plugin are you running?

PS: Actually, AD is mega-strange. Göthe could also log in as Goethe :wink:

PI: 3.7
FreeRadius: 3.0.21+dfsg-2.2+deb11u1

Version 3.7 of privacyIDEA should do urldecoding the username.

Which version of the privacyidea-radius plugin are you using? The latest tag is 3.4.2.

I’m on debian - couldn’t use the PI packages. :sweat_smile:

Latest changelog in perl module is:

    2021-07-23 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#               URL encode parameters

I pulled it from github master

In fact it does URL decoding - but URL decoding a misconversed string will result in crap.

I can see “Göthe@testdc01” in PI dashboard as Error user/token :smile: