cui-inner.post-auth and cui.post-auth
Sorry, doing more poking around and have discovered that while the %{User-Name} attribute is turned into lower-case with %{tolower:...}, %{Operator-Name} is not. Surely to ensure consistency, shouldn't Operator-Name ALSO be turned into a lower-case? After all, 1DIAMOND.AC.UK and 1diamond.ac.uk are the same on t'Internet? Just a question... Stefan Paetow Software Engineer +44 1235 778812 Diamond Light Source Ltd. Diamond House, Harwell Science and Innovation Campus Didcot, Oxfordshire, OX11 0DE -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
stefan.paetow@diamond.ac.uk wrote:
Sorry, doing more poking around and have discovered that while the %{User-Name} attribute is turned into lower-case with %{tolower:...}, %{Operator-Name} is not.
Surely to ensure consistency, shouldn't Operator-Name ALSO be turned into a lower-case?
Yes.
After all, 1DIAMOND.AC.UK and 1diamond.ac.uk are the same on t'Internet?
Yes. Patches are welcome. :) Alan DeKok.
And you'll have one shortly! :-) Regards Stefan ________________________________________ From: Alan DeKok [aland@deployingradius.com] Sent: Tuesday, January 28, 2014 7:08 PM To: FreeRadius users mailing list Subject: Re: cui-inner.post-auth and cui.post-auth stefan.paetow@diamond.ac.uk wrote:
Sorry, doing more poking around and have discovered that while the %{User-Name} attribute is turned into lower-case with %{tolower:...}, %{Operator-Name} is not.
Surely to ensure consistency, shouldn't Operator-Name ALSO be turned into a lower-case?
Yes.
After all, 1DIAMOND.AC.UK and 1diamond.ac.uk are the same on t'Internet?
Yes. Patches are welcome. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
Hi, I am not convinced that not lowering the Operator-Name is an inconsistency. The Operator-Name value can be from any namespace registered for this attribute. The REALM namespace is just one of possibilities. The Operator-Name specification does not say that the value is case-insensitive, therefore why should we make it such in the code. We could say the same for the User-Name but while in theory User-Name is case-sensitive in practice in most situations it will not be. Without normalising the value of the User-Name we could be generating different CUI values for the same user, and contrary to the Operator-Name, the User-Name is controlled by the user. The Operator-Name is controlled by the visited site, the CUI is generated to serve the visited site, if the visited site wants to complicate things by messing with the values of the Operator-Name, the authenticating site cannot do much about it nor it should care. Of course no harm will be done by applying lowercase to the Operator-Name, but then there is no gain either and I argue that there is no inconsistency. Tomasz -- Tomasz Wolniewicz twoln@umk.pl http://www.umk.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
The Operator-Name is controlled by the visited site, the CUI is generated to serve the visited site, if the visited site wants to complicate things by messing with the values of the Operator-Name, the authenticating site cannot do much about it nor it should care.
However, having the user's home site generating different CUI values because the visited site happens to have used for example '1diamond.ac.uk' on one server, and after an upgrade using '1DIAMOND.AC.UK', is not ideal either. If the Operator-Name is technically speaking case-insensitive, then it would make sense to normalise it in some sort or fashion to generate consistent CUIs regardless of casing of the visited site's Operator-Name. IMHO anyway. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
W dniu 2014-01-29 11:35, stefan.paetow@diamond.ac.uk pisze:
The Operator-Name is controlled by the visited site, the CUI is generated to serve the visited site, if the visited site wants to complicate things by messing with the values of the Operator-Name, the authenticating site cannot do much about it nor it should care. However, having the user's home site generating different CUI values because the visited site happens to have used for example '1diamond.ac.uk' on one server, and after an upgrade using '1DIAMOND.AC.UK', is not ideal either. If the Operator-Name is technically speaking case-insensitive, then it would make sense to normalise it in some sort or fashion to generate consistent CUIs regardless of casing of the visited site's Operator-Name. We do not know if every defined namespace of Operator-Name is (or is going to be) case-insensitive. REALM definitely is (technically), but the implementation does not assume anything about the namespace.
If the visited site cannot control what is sends in the Operator-Name then tough luck. CUI is of no value the the home site, so the only side affected by the problem is the side that causes the problem. As I said, no harm can be expected from adding the lower case, but if it does not serve any purpose then why add it? Tomasz -- Tomasz Wolniewicz twoln@umk.pl http://www.home.umk.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
Tomasz Wolniewicz wrote:
We do not know if every defined namespace of Operator-Name is (or is going to be) case-insensitive. REALM definitely is (technically), but the implementation does not assume anything about the namespace.
The realm namespace is a DNS name, and should be case insensitive. Forcing lowercase is arguably wrong for DNS, but... I think it's OK here.
If the visited site cannot control what is sends in the Operator-Name then tough luck. CUI is of no value the the home site, so the only side affected by the problem is the side that causes the problem.
As I said, no harm can be expected from adding the lower case, but if it does not serve any purpose then why add it?
Normalization is usually a good thing. Alan DeKok.
I'm sure I submitted a patch for this. .. Maybe it only went into 2.x? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (4)
-
Alan Buxey -
Alan DeKok -
stefan.paetow@diamond.ac.uk -
Tomasz Wolniewicz