Username case insensitivity
On Feb 21, 2020, at 5:48 PM, Luveh Keraph <1.41421 at gmail.com> wrote:
I would like for my FreeRADIUS 3.0.20 server to match user names to be authenticated in a case-insensitive way.
You want it to match *all* names in a case insensitive way?
All user names that the FreeRADIUS receives for authentication. The password should remain case-sensitive.
To that effect, I changed the contents of /etc/raddb/mods-enabled/sradutmp as follows:
radutmp sradutmp { filename = ${logdir}/sradutmp case_sensitive = "no"
No... that changes the case insensitivity of the *radutmp* module. The comments in the module > make this clear.
OK, thanks.
When I launch the FreeRADIUS server with -sfXx in the resulting traces I can see that the module above has been loaded, and that the case_sensitive attribute is indeed set to "no". However, the FreeRADIUS server remains user name case-sensitive. What am I misunderstanding here?
You're seeing the server run modules which *aren't* radump, and which *don't* take any "case_sensitive" parameter. I'm not sure why editing the "radutmp" module would make the "files" or "pap" module be case insensitive.
OK.
In FreeRADIUS, user name lookups are generally done via databases. If you want the lookups > to be case insensitive, then change the database queries
So... which database are you using to look up user names / passwords?
I am just using the basic capabilities provided by FreeRADIUS - entries in /etc/raddb/users. The user name and password information is retrieved from that file. I tried adding a policy for this in /etc/raddb/policy.d, but I couldn't get that to work either.
On Feb 21, 2020, at 11:44 PM, Luveh Keraph <1.41421@gmail.com> wrote:
All user names that the FreeRADIUS receives for authentication. The password should remain case-sensitive.
That's generally not a good idea. For one, databases aren't typically case-insensitive. So those might see "bob" as different users / accounts / billing than user "BOB". If you don't care about case, then the simplest way to fix it is to just mash the User-Name to lowercase. For various reasons, you should do it this way: authorize { update request { Stripped-User-Name := "%{tolower:%{User-Name}}" } ... everything else ... } That is the simplest way to do it, and the most likely to work for all modules.
I am just using the basic capabilities provided by FreeRADIUS - entries in /etc/raddb/users. The user name and password information is retrieved from that file.
The sample configuration for the "files" module tells you how to change the key used for lookups. You can just change that to do case-insensitive lookups.
I tried adding a policy for this in /etc/raddb/policy.d, but I couldn't get that to work either.
"I tried to do stuff, but it didn't work". That isn't a useful thing to say. It's better to describe WHAT you did, WHY you did it, and WHAT happened. Alan DeKok.
I had tried before several variations of what you propose, to no avail. I finally got it working by adding the following line in the configuration of the "files" module. key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}" On Sun, Feb 23, 2020 at 6:02 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2020, at 11:44 PM, Luveh Keraph <1.41421@gmail.com> wrote:
All user names that the FreeRADIUS receives for authentication. The password should remain case-sensitive.
That's generally not a good idea. For one, databases aren't typically case-insensitive. So those might see "bob" as different users / accounts / billing than user "BOB".
If you don't care about case, then the simplest way to fix it is to just mash the User-Name to lowercase. For various reasons, you should do it this way:
authorize { update request { Stripped-User-Name := "%{tolower:%{User-Name}}" } ... everything else ...
}
That is the simplest way to do it, and the most likely to work for all modules.
I am just using the basic capabilities provided by FreeRADIUS - entries in /etc/raddb/users. The user name and password information is retrieved from that file.
The sample configuration for the "files" module tells you how to change the key used for lookups. You can just change that to do case-insensitive lookups.
I tried adding a policy for this in /etc/raddb/policy.d, but I couldn't get that to work either.
"I tried to do stuff, but it didn't work".
That isn't a useful thing to say. It's better to describe WHAT you did, WHY you did it, and WHAT happened.
Alan DeKok.
participants (2)
-
Alan DeKok -
Luveh Keraph