On Fri, 2019-11-01 at 16:19 +0000, Adam Taylor wrote:
(0) authorize { (0) if (User-Name =~ /@ulm\.edu$$/i){ (0) if (User-Name =~ /@ulm\.edu$$/i) -> FALSE (0) if (User-Name =~ /@warhawks\.ulm\.edu$$/i) { (0) if (User-Name =~ /@warhawks\.ulm\.edu$$/i) -> TRUE (0) if (User-Name =~ /@warhawks\.ulm\.edu$$/i) { (0) update request { (0) Tmp-String-0 = "Students" (0) } # update request = noop
Outer request.
(7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "warhawks.ulm.edu" for User-Name = " garretdr@warhawks.ulm.edu" (7) suffix: Found realm "warhawks.ulm.edu" (7) suffix: Adding Stripped-User-Name = "garretdr" (7) suffix: Adding Realm = "warhawks.ulm.edu" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 8 length 84 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop rlm_ldap (ldap): Reserved connection (0) (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (7) ldap: --> (uid=garretdr) (7) ldap: EXPAND ou=%{request:Tmp-String-0},ou=People,dc=ulm,dc=edu (7) ldap: --> ou=,ou=People,dc=ulm,dc=edu
Inner tunnel. Move the username check to the inner tunnel so it's generating the Tmp- String-0 in the right list. Doing it where it is in the outer section means students can spoof as staff and vice-versa by editing their anonymous identity. -- Matthew