Rejected: Realm does not have at least one dot separator

Mohamed Lrhazi Mohamed.Lrhazi at georgetown.edu
Fri Jun 26 18:03:10 CEST 2015


Hello,

I am redeploying 3.0.8 on a new system using the same config files as my
existing prod systems... but in the new system, I get this error...

Username does have a dot in the realm... but the expression somehow fails...

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (User-Name != "%{tolower:%{User-Name}}") {
(0)       EXPAND %{tolower:%{User-Name}}
(0)          --> *georgetown_test at eduroamus.edu
<georgetown_test at eduroamus.edu>*
(0)       if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)       if (User-Name =~ / /) {
(0)       if (User-Name =~ / /)  -> FALSE
(0)       if (User-Name =~ /@.*@/ ) {
(0)       if (User-Name =~ /@.*@/ )  -> FALSE
(0)       if (User-Name =~ /\\.\\./ ) {
(0)       if (User-Name =~ /\\.\\./ )  -> FALSE
(0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
(0)      * if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
TRUE*
(0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   {
(0)         update reply {
(0)           Reply-Message += "*Rejected: Realm does not have at least one
dot separator*"
(0)         } # update reply = noop
(0)         [reject] = reject
(0)       } # if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   =
reject
(0)     } # policy filter_username = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject


In the config, the rule looks like so:

sudo grep -A4 -B5 -r "dot separator" /etc/raddb
/etc/raddb/policy.d/filter-     #  must have at least 1 string-dot-string
after @
/etc/raddb/policy.d/filter-     #  e.g. "user at site.com"
/etc/raddb/policy.d/filter-     #
/etc/raddb/policy.d/filter-     if ((User-Name =~ /@/) && (User-Name !~
/@(.+)\\.(.+)$/))  {
/etc/raddb/policy.d/filter-             update reply {
/etc/raddb/policy.d/filter:                     Reply-Message += "Rejected:
Realm does not have at least one dot separator"
/etc/raddb/policy.d/filter-             }
/etc/raddb/policy.d/filter-             reject
/etc/raddb/policy.d/filter-     }
/etc/raddb/policy.d/filter-


Thanks,
Mohamed.


More information about the Freeradius-Users mailing list