So I played with my copy of the code to change what nostrip being unset means (now, it writes the Stripped-User-Name attribute, but no longer rewrites the User-Name attribute with the stripped username), and I'm still running into problems: (0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson" (0) HOKIES : Found realm "~HOKIES" (0) HOKIES : Adding Stripped-User-Name = "dawson" (0) HOKIES : Adding Realm = "hokies" (0) HOKIES : Proxying request from user dawson to realm ~HOKIES (0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES" (0) [HOKIES] = updated (0) guest : Request already proxied. Ignoring. (0) [guest] = ok (0) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated (0) ... skipping elsif for request 0: Preceding "if" was taken (0) eap : Request is supposed to be proxied to Realm ~HOKIES. Not doing EAP. (0) [eap] = noop (0) sql : expand: %{Stripped-User-Name} -> (0) sql : sql_set_user escaped user --> '' There at the end, what's ending up in the sql module just does NOT have Stripped-User-Name set, and that's driving me batty. The only way I've ever had that working was to manually, in unlang, set it to a fixed string (Stripped-User-Name := dawson). Any ideas what's causing this difficulty? -Jacob On 14 Jul 2011, at 08:49, Jacob Dawson wrote:
On 14 Jul 2011, at 03:42, Alexander Clouter wrote:
In article <795D5EE4-7536-431E-926A-98E70EFA1771@vt.edu> you wrote: Although to prevent down the road severe levels of pain when enabling eduroam you should be using something like 'dawson@hokies.vt.edu', could you not just use 'ntdomain' (a built in module that will do this for you)? 'ntdomain' should create Realm and Stripped-User-Name in the manner you want. Are you suggesting that using a prefix domain like that will cause problems, or that I should be using the realms module? I have no problem with using the module, as it's worked well for the proxying side of things, but I need to be able to authorize the users on our domain, and that means I need to get a stripped username and pass it to the DB. I'll poke at it and see if I can get that side working.
I was going to ask why you were not doing the perl stuff in unlang. :)
It seemed like a good idea at the time.
(1) ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/) (1) expand: %{User-Name} -> hokies\dawson ERROR: Failed compiling regular expression: Unmatched ( or \( (1) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section looks thus:
elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){ update request{ Stripped-User-Name := "%{$`}" } }
$' and $` is a perlism. You want something like (look at policy.conf rewrite.calling_station_id and rewrite.called_station_id as an example): ---- if (User-Name =~ /^[^\\]\\?(.*)$/) { update request { Stripped-User-Name := "%{1}" } } ----
Untested, but hopefully you get the idea. :) This works a little better: elsif("%{User-Name}" =~ /^(.*)\\\\?(.*)$/){ update request{ Stripped-User-Name := "%{2}" } }
But gives this: (5) ? Evaluating ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE (5) ? elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE (5) elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) { (5) - entering elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {...} (5) update request { (5) expand: %{2} -> (5) } # update request = updated (5) - elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) returns updated (5) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated .... (5) sql : expand: %{Stripped-User-Name} -> (5) sql : sql_set_user escaped user --> ''
Not sure what I should be doing there. Changed it to %{0} and also to %{1} and both gave me hokies\dawson, which was at least successfully written into Stripped-User-Name.
Would love some more insight into how unlang handles these things, as I'm sure we'll run into a use for it in the future, even if I manage a realms-based solution to this.
Thanks much, - Jacob
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html