users file rejex

Phil Mayers p.mayers at
Tue Apr 17 14:41:15 CEST 2012

On 17/04/12 12:48, DaveA wrote:
> Hello,
> I would like to default reject users who have a "/" or "\" in their
> username. Often users will misconfigure their machines and Windows will send
> the host\username, which will never be a valid login here.

Do you mean thing like:


...or things like:


i.e. the first 4 characters are actually "h", "o", "s", "t"?

> Where is the best place to do this? I have tried to put this in the users
> file, but I may not have the correct regex:
> DEFAULT User-Name =~ /[0-9a-zA-Z\/\\]+/, Auth-Type := Reject

Do you really want to reject any user whose User-Name contains a letter 
or number? Because that's what this regexp says.

> My match cases are:
> host\username
> host\\username
> host/username
> host //username
> I do not want to sanitize these for the users.

Why? It makes your life hard, and your users lives hard, to reject names 
with a clearly valid intent.

Still, your decision, feel free to use time as you see fit ;o)

Anyway, your regex is indeed wrong. In the "users" file, you need:


THEREGEX must have double-escaped \ - first, escape the \ for the regex 
parser, next, escape the \ for the "users" file parser.

i.e. if you want to match "a\b" you need a regexp:


...therefore you need to write:

DEFAULT	User-Name =~ "a\\\\b"

"/" is not a special character in "users"-file regexps, so can just be 
left as-is.


DEFAULT	User-Name =~ "^.+\\\\\\\\", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+\\\\", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+//", Auth-Type := Reject
DEFAULT	User-Name =~ "^.+/", Auth-Type := Reject

Note for the archives - if you want to do this in "unlang", the syntax 
is different. You do NOT need to double-escape the "\", but DO need to 
escape the "/". Figuring this out is left as an exercise for the reader.

One final note - it would be REALLY handy if FR regexp engine let you 
choose an alternate delimiter like some programs e.g.

  if (User-Name =~ #theregex#) {
  } avoid leaning toothpick syndrome. Maybe I will work up a patch.

More information about the Freeradius-Users mailing list