How does Stripped-User-Name get evaluated?
Alan DeKok
aland at deployingradius.com
Tue Apr 17 18:21:38 CEST 2018
On Apr 17, 2018, at 9:59 AM, Nick Howitt <nick at howitts.co.uk> wrote:
>
> I am doing an ldap lookup with /etc/raddb/mods-available/ldap:
> user {
> base_dn = "${..base_dn}"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> It comes back correctly with a simple username, but with a Domain username such as "test/MINI-1.CLEARSYSTEM" it always tries to look up user "test/MINI-1.CLEARSYSTEM".
Because you don't have "MINI-1.CLEARSYSTEM" set up as a realm.
> Changing
>
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> to
>
> filter = "(uid=%{Stripped-User-Name})"
>
> looks up a blank user and
>
> filter = "(uid=%{User-Name})"
>
> looks up user "test/MINI-1.CLEARSYSTEM" which fails.
> I think I am thinking is the function creating Stripped-User-Name is not being called. If so, how can I fix it?
Read the debug log. It shows you when it's creating a Stripped-User-Name.
Read the proxy.conf file, and the "realms" module. They take care of defining realms and stripping user names.
Alan DeKok.
More information about the Freeradius-Users
mailing list