User-Name attribute being evaluated as regular expression???

bmccorkle network.administrator at gahanna.gov
Wed Apr 30 17:21:09 CEST 2008 


Alan DeKok-4 wrote:
> 
> bmccorkle wrote:
>>   I have an issue and haven't been able to find any online help.  I
>> thought
>> I had freeradius working correctly but discovered yesterday that if a
>> user's
>> name starts with 'r' then they can't login.  I setup an unlang if
>> statement
>> (in the default sites available) to handle whether the login is a
>> computer,
>> user, or pda request (I'm assuming this is the best way to do it).  The
>> statement copies the User-Name attribute over to a Stripped-User-Name
>> attribute and manipulates the Stripped-User-Name as necessary. Normally
>> when
>> a user logs in it's in the format:   DOMAIN\first.lastname.  I created
>> some
>> attr_rewrite modules to strip the domain and period out of the username.
> 
>   You don't need to do that.  You can just use regular expressions.
> 
>> It was working fine, but I discovered if Randy Hall logs in (User-Name =
>> DOMAIN\randy.hall); Stripped-User-Name becomes:  
>> DOMAIN andy halll   (domain is not removed, the r in his name disappears
>> and
>> the last letter seems to be doubled (I tried this with another user and
>> it
>> removed the r from his name and doubled the 's' at the end of his name as
>> well).
> 
>   I think there's an issue with the attr_rewrite module.  Grab the
> latest one in CVS.... it may be better.
> 
>> So what is going on exactly?  I'm not an expert but it seems like the
>> attribute is being evaluated as a regular expression???
> 
>   No... I think your configuration is too complex.
> 
>>         attr_rewrite copy.user-name {
>>         attribute = Stripped-User-Name
>>         new_attribute = yes
>>         searchfor = ""
>>         searchin = packet
>>         replacewith = "%{User-Name}"
>>         }
> 
>   You don't need this.  The regular expression code && unlang can do all
> of this.
> 
>   It's not clear to me what you're trying to do, because your
> configuration is so complex.  Just write a bunch of regular expressions
> to match what you want, and use %{1}, etc.
> 
>   Try writing a few *simple* examples of what you want to do.  Odds are
> you can write a simple regex expression that does everything.  You don't
> need attr_rewrite.
> 
> 	e.g. for : DOMAIN\randy.hall
> 
> 	if (User-Name =~ /^DOMAIN\\(.*)/) {
> 		update request {
> 			Stripped-User-Name := "%{1}"
> 		}
> 	}
>   I don't see why it has to be more complex than that.
> 
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

You were right about using the regular expressions instead of the
attr_rewrite statements.  It took me a day to figure out regular expressions
(hadn't touched them in a couple of years) but it greatly simplified things
and it's running smoother.  We had started with version 1 of Freeradius for
our testing and then I built another box with version 2.  When I configured
the new box I had simply moved over the attr_rewrite statements because the
old box was working with them (or seemed to at least).  One last question
though.  I'm using 'if' statements to evaluate the User-Name variable for
the different various formats the username might be in.  Is it possible with
unlang to evaluate the regular expression with a switch statement?  For
example, my 'if' statement...


        #USER LOGIN (DOMAIN\\FIRST.LAST)
        if (User-Name =~ /DOMAIN[\\]{1,2}(.*)/i) {
                update request {
                        Stripped-User-Name := "%{1}"
                }
        }
        #HOST LOGIN (HOST/COMPUTERNAME.DOMAIN.EDU)
        elsif (User-Name =~ /host\/([a-z0-9\-]*)[\.]{1}DOMAIN[\.]{1}EDU/i) {
                update request {
                        Stripped-User-Name := "%{1}$"
                }
        }
        #PDA LOGIN (USERNAME at DOMAIN)
        elsif (User-Name =~ /([A-Z0-9\-\.]*)@/i) {
                update request {
                        Stripped-User-Name := "%{1}"
                }
        }
        #GIVE ONE LAST TRY
        elsif (User-Name =~ /(.*)/i) {
                update request {
                        Stripped-User-Name := "%{1}"
                }
        }

Can this be rewritten in a Switch statement like so..

Switch "User-Name" {

     Case (/REGULAR EXPRESSION/i) {
     }

     Case (/REGULAR EXPRESSION2/i {
     }
}

I didn't see anything in the unlang manual (or wasn't understanding it
correctly) so I didn't try it.  But if it's not, I think it would be nice to
have.

-- 
View this message in context: http://www.nabble.com/User-Name-attribute-being-evaluated-as-regular-expression----tp16850734p16985248.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list