Try 3.0.14... 'moonshot-targeted-ids' says: If you use special characters %, { and }, escape them with a \ first Does escaping the '{' solve the issue? :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. From: Freeradius-Users <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org> on behalf of Dan Breslau <dbreslau@painless-security.com> Reply-To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Date: Friday, 26 May 2017 at 21:43 To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: Recursive string expansion
I have an issue with recursive string expansion -- that is, it is recursing in a situation where I'd rather it didn't. Specifically, with freeradius 3.0.13, in policy.d/moonshot_targeted_ids, if I set
targeted_id_salt = '${changeme'
then I get the error:
Fri May 26 20:23:37 2017 : Error: /etc/freeradius/policy.d/moonshot-targeted-ids[40]: Reference "${changeme%{tolower}" not found Fri May 26 20:23:37 2017 : Error: Failed expanding section name Fri May 26 20:23:37 2017 : Error: /etc/freeradius/policy.d/moonshot-targeted-ids[41]: Failed allocating memory for section Fri May 26 20:23:37 2017 : Error: Errors reading or parsing /etc/freeradius/radiusd.conf
This seems to be a reference to these two lines (starting at line 40) :
if (&outer.request:GSS-Acceptor-Host-Name) { if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request :GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
So it definitely looks like ${policy.targeted_id_salt} is expanded once, and then something attempts to expand the expanded string, which fails because '${changeme' is invalid xlat syntax.
I haven't found any user documentation indicating whether string expansion is recursive. I did find an older post by Arran where he says that "rlm_sql does recursive xlat" (see (http://lists.freeradius.org/pipermail/freeradius-users/2009-April/037249. html). This makes me wonder whether this behavior is decided upon by the module's implementer.
If there is a way to prevent this behavior (i.e., force a string to be expanded non-recursively), I'd love to hear about it. I'd be happy to file a bug (or feature request) if that would be appropriate.
Thanks,
Dan Breslau
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html