authentication fails because of the realm isn't stripped

Tue Sep 26 13:46:24 CEST 2017

On Sep 26, 2017, at 2:57 AM, hans.bornemann at tu-dortmund.de wrote:
> 
> the authentication fails because of the realm isn't stripped.

  The realm is stripped.  Please read the debug output. 

> the man page says: "by default the realm is stripped ..."

  Quoting the documentation isn't helpful.  We know what it says.

> Tue Sep 26 08:33:47 2017 : Debug: (1)   User-Name = "hans at telesec"

  Please follow the documentation.  EVERYTHING says to use "radiusd -X".

> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Checking for suffix after "@"
> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Looking up realm "telesec" for User-Name = "hans at telesec"
> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Found realm "telesec"
> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Stripped-User-Name = "hans"
> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Realm = "telesec"
> Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Authentication realm is LOCAL

  See the word "Stripped" there?   That's a hint that the realm is being stripped.

  And no, the User-Name attribute is *not* modified.  That's a bad idea for a whole host of reasons.

> Tue Sep 26 08:33:47 2017 : Debug: (1)     modsingle[authorize]: calling sql (rlm_sql)
> Tue Sep 26 08:33:47 2017 : Debug: %{User-Name}
> Tue Sep 26 08:33:47 2017 : Debug: Parsed xlat tree:
> Tue Sep 26 08:33:47 2017 : Debug: attribute --> User-Name
> Tue Sep 26 08:33:47 2017 : Debug: (1) sql: EXPAND %{User-Name}
> Tue Sep 26 08:33:47 2017 : Debug: (1) sql:    --> hans at telesec
> Tue Sep 26 08:33:47 2017 : Debug: (1) sql: SQL-User-Name set to 'hans at telesec'

  See the SQL configuration.  For you, raddb/mods-config/sql/main/mysql/queries.conf

  Look for sql_user_name, and read the documentation.

  Alan DeKok.