Spaces in the end of User-Name.
Hi! What i must to specify in a config file of freeradius2 that in each request before its further handling it automatically deleted spaces in the end of %{User-Name}? The parameter nospace_user doesn't work. Not to start up users with spaces in username doesn't approach.
admin wrote:
What i must to specify in a config file of freeradius2 that in each request before its further handling it automatically deleted spaces in the end of %{User-Name}?
You need to write a custom rule in "unlang". However... my $0.02 is that you shouldn't. Instead, if you see a User-Name with spaces, *reject* it. The user is trying to play games.
The parameter nospace_user doesn't work.
That was removed many years ago. Alan DeKok.
Alan DeKok <aland@deployingradius.com> писал(а) в своём письме Wed, 19 Jan 2011 09:13:35 +0200:
admin wrote:
What i must to specify in a config file of freeradius2 that in each request before its further handling it automatically deleted spaces in the end of %{User-Name}?
You need to write a custom rule in "unlang".
Something of type such this? if ("%{User-Name}"=~/([a-zA-Z0-9_.]+)\s+$/i) { %{User-Name}=%{1} } Where it is necessary to insert it in config file that User-Name changed globally before any actions with it?
However... my $0.02 is that you shouldn't. Instead, if you see a User-Name with spaces, *reject* it. The user is trying to play games.
Yes, but it creates many questions from users.
admin wrote:
Something of type such this?
if ("%{User-Name}"=~/([a-zA-Z0-9_.]+)\s+$/i) { %{User-Name}=%{1} }
Not quite... if (User-Name =~ /(.+)\s+$/i) { update request { User-Name := "%{1}" } } See "man unlang".
Where it is necessary to insert it in config file that User-Name changed globally before any actions with it?
In the "authorize" section. *Read* the debug output. It's clear that the "authorize" section is processed first when the server receives a packet.
However... my $0.02 is that you shouldn't. Instead, if you see a User-Name with spaces, *reject* it. The user is trying to play games.
Yes, but it creates many questions from users.
Like "how did you catch my trying to cheat you?" Alan DeKok.
admin <bp@iptv.by> wrote:
What i must to specify in a config file of freeradius2 that in each request before its further handling it automatically deleted spaces in the end of %{User-Name}?
You need to write a custom rule in "unlang".
Something of type such this?
if ("%{User-Name}"=~/([a-zA-Z0-9_.]+)\s+$/i) { %{User-Name}=%{1} }
Where it is necessary to insert it in config file that User-Name changed globally before any actions with it?
No, that's incorrect...I am also not going to help you hang yourself by giving you the answer :)
However... my $0.02 is that you shouldn't. Instead, if you see a User-Name with spaces, *reject* it. The user is trying to play games.
Yes, but it creates many questions from users.
It creates even more problems for you later on down the line. There will be times when you will be unable to strip the whitespace (maybe you auth straight against LDAP, say Apache doing group membership checks against LDAP...the whitespace will *kill* you) from a username and those users stuck in the habit of putting spaces in usernames will come back and haunt you. Best to make it work only if you do things correctly. Ideally you should do something like: ---- authorization { [snipped] if (User-Name =~ /^\s/ || User-Name =~ /\s$/) { update reply { Reply-Message := "Remove spaces from User-Name" } reject } [snipped] } ---- Hopefully your environment enables that message to get back to the user. Cheers -- Alexander Clouter .sigmonster says: If you can't understand it, it is intuitively obvious.
Alexander Clouter <alex@digriz.org.uk> писал(а) в своём письме Wed, 19 Jan 2011 10:54:11 +0200:
Ideally you should do something like: ---- authorization { [snipped]
if (User-Name =~ /^\s/ || User-Name =~ /\s$/) { update reply { Reply-Message := "Remove spaces from User-Name" } reject }
[snipped] } ----
Something doesn't work. sites-enabled/default: authorize { preprocess chap mschap suffix files sql logintime auth } radiusd.conf: exec auth { program = "/usr/local/freeradius/run/Money %u %n %{NAS-Port}" wait = yes input_pairs = request shell_escape = yes output = no output_pairs = reply } If I check existence of spaces in User-Name in my program /usr/local/freeradius/run/Money all works. If I insert if (User-Name =~ /^\s/ || User-Name =~ /\s$/) { update reply { Reply-Message := "Remove spaces from User-Name" } reject } in section authorize{} in any place the user with spaces in User-Name successfully transits authorization. This unlang-code doesn't work too if (User-Name =~ /(.+)\s+$/i) { update request { User-Name := "%{1}" } } Where I was mistaken? FreeRADIUS Version 2.1.10
participants (3)
-
admin -
Alan DeKok -
Alexander Clouter