Issue with umlauts and freeradius / pi

Integration / Auth Clients
1

Hey there!

I’ve got a annoying problem here with FreeRadius and PrivacyIDEA:

Local AD has usernames with umlauts. FreeRadius will send them encoded to PI. PI is unable to find the corresponding user in any realm

radius.log

Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Debugging config: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Default URL https://localhost/validate/check 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Looking for config for auth-type Perl
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Password encoding guessed: ascii
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Setting client IP to 192.168.0.12.
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Auth-Type: Perl
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: url: https://localhost/validate/check
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: user sent to privacyidea: G%C3%83%C2%B6the
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: realm sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: resolver sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: client sent to privacyidea: 192.168.0.12
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: state sent to privacyidea: 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam client  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam pass  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: urlparam user  
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Request timeout: 10 
Wed Jul 27 08:31:14 2022 : Info: rlm_perl: Not verifying SSL certificate!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: elapsed time for privacyidea call: 0.549382
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA request failed: 400 BAD REQUEST
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA Result status is false!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: ERR904: The user can not be found in any resolver in this realm!
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: privacyIDEA failed to handle the request
Wed Jul 27 08:31:15 2022 : Info: rlm_perl: return RLM_MODULE_NOTFOUND

But according to PI.log, the user was found indeed:

privacyidea.log

!!!Log Entry Secured by SecureFormatter!!! [2022-07-27 08:27:22,539][693832][140139410347904][INFO][privacyidea.lib.user:252] user 'G.the' found in resolver 'testdc01'
[2022-07-27 08:27:22,539][693832][140139410347904][INFO][privacyidea.lib.user:254] userid resolved to '243de5b4-42de-4838-be2c-30a28cccad49'

Removing umlauts is not an option.

I don’t know, in which part the things gets messed up - maybe someone already had the same issue here and found a solution?

Edit:

locales seems to be correct:

> locale
LANG=de_DE.UTF-8
LANGUAGE=
LC_CTYPE="de_DE.UTF-8"
LC_NUMERIC="de_DE.UTF-8"
LC_TIME="de_DE.UTF-8"
LC_COLLATE="de_DE.UTF-8"
LC_MONETARY="de_DE.UTF-8"
LC_MESSAGES="de_DE.UTF-8"
LC_PAPER="de_DE.UTF-8"
LC_NAME="de_DE.UTF-8"
LC_ADDRESS="de_DE.UTF-8"
LC_TELEPHONE="de_DE.UTF-8"
LC_MEASUREMENT="de_DE.UTF-8"
LC_IDENTIFICATION="de_DE.UTF-8"
LC_ALL=

Edit2:

G%C3%83%C2%B6the

looks like a Windows-1252 / UTF-8 (double)-misconversion. Is this a bug?

UTF-8 bytes should be “%C3%B6” → “ö”

2

@cornelinux
Please take a look at privacyidea_radius.pm:

442: $params{"user"} = $uri->encode($params{"user"});

URI::Encode will mess up the username.

Added some “Debug” output to this module:

	&radiusd::radlog( Info, "Username before Encoding: $params{'user'}" );
    $params{"user"} = $uri->encode($params{"user"});
	&radiusd::radlog( Info, "Username after Encoding: $params{'user'}" );

Wed Jul 27 14:32:02 2022 : Info: rlm_perl: Username before Encoding: Göthe
Wed Jul 27 14:32:02 2022 : Info: rlm_perl: Username after Encoding: G%C3%83%C2%B6the

Hacky solution for me was to comment out line 442. It looks like validate/check could handle the request without the need for encoding.

3

Which version of privacyIDEA and the FreeRADIUS plugin are you running?

PS: Actually, AD is mega-strange. Göthe could also log in as Goethe :wink:

4

PI: 3.7
FreeRadius: 3.0.21+dfsg-2.2+deb11u1

5

Version 3.7 of privacyIDEA should do urldecoding the username.

Which version of the privacyidea-radius plugin are you using? The latest tag is 3.4.2.

6

I’m on debian - couldn’t use the PI packages. :sweat_smile:

Latest changelog in perl module is:

    2021-07-23 Cornelius Kölbel <cornelius.koelbel@netknights.it>
#               URL encode parameters

I pulled it from github master

In fact it does URL decoding - but URL decoding a misconversed string will result in crap.

I can see “Göthe@testdc01” in PI dashboard as Error user/token :smile:

7

Interesting. I’ve had one user calling in just now, because he wasn’t able to log in anymore. I found out, that the issue was again this misconversion “bug” - Admin interface showed me the “ö” in his username as failed login.

Whats strange is, the user could lastly log in on 01-Jun. successfully. Today he was back from vacation, there was no active change on productive servers since then. Reapplied the “workaround” from above. But this can’t be the solution.

Any idea whats causing this to happen? Any PI dependency that might have been auto upgraded in between this timespan?

Productive server is running PI 3.8.1 currently.

Edit:
/var/log/apt/history.log:

Start-Date: 2023-06-02  06:09:43
Commandline: /usr/bin/unattended-upgrade
Upgrade: openssl:amd64 (1.1.1n-0+deb11u4, 1.1.1n-0+deb11u5)
End-Date: 2023-06-02  06:09:44

Start-Date: 2023-06-02  06:09:45
Commandline: /usr/bin/unattended-upgrade
Upgrade: libssl1.1:amd64 (1.1.1n-0+deb11u4, 1.1.1n-0+deb11u5)
End-Date: 2023-06-02  06:09:46

Start-Date: 2023-06-07  08:32:12
Commandline: /usr/bin/unattended-upgrade
Remove: linux-image-5.10.0-21-amd64:amd64 (5.10.162-1)
End-Date: 2023-06-07  08:32:15

No unattended upgrades I’d suspect as potential cause for this…