User-Name attribute being evaluated as regular expression???
bmccorkle
network.administrator at gahanna.gov
Thu Apr 24 16:30:20 CEST 2008
Hello,
I have an issue and haven't been able to find any online help. I thought
I had freeradius working correctly but discovered yesterday that if a user's
name starts with 'r' then they can't login. I setup an unlang if statement
(in the default sites available) to handle whether the login is a computer,
user, or pda request (I'm assuming this is the best way to do it). The
statement copies the User-Name attribute over to a Stripped-User-Name
attribute and manipulates the Stripped-User-Name as necessary. Normally when
a user logs in it's in the format: DOMAIN\first.lastname. I created some
attr_rewrite modules to strip the domain and period out of the username.
It was working fine, but I discovered if Randy Hall logs in (User-Name =
DOMAIN\randy.hall); Stripped-User-Name becomes:
DOMAIN andy halll (domain is not removed, the r in his name disappears and
the last letter seems to be doubled (I tried this with another user and it
removed the r from his name and doubled the 's' at the end of his name as
well).
So what is going on exactly? I'm not an expert but it seems like the
attribute is being evaluated as a regular expression??? I commented out all
the attr_rewrite modules except for the one that copies the user-name over
to stripped-user-name and noticed the stripped-user-name was still incorrect
in my ldap search.
.....attr_rewrite section in RADIUSD.CONF.....
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = "^(.*[\\/]+)"
replacewith = ""
max_matches = 1
}
attr_rewrite remove-domain {
attribute = Stripped-User-Name
new_attribute = no
searchfor = "\.DOMAIN\.EDU"
searchin = packet
replacewith = ""
max_matches = 1
}
attr_rewrite pda-fix {
attribute = Stripped-User-Name
new_attribute = no
searchfor = "@DOMAIN"
searchin = packet
replacewith = ""
max_matches = 1
}
attr_rewrite strip-period {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = "[.]"
replacewith = " "
max_matches = 1
}
.....If statement in default under sites-available.....
#Host Login
if (User-Name =~ /^(host\/.*)/i) {
copy.user-name
strip-realm-name
remove-domain
}
#User Login
elsif (User-Name =~ /^(DOMAIN\\.*)/i) {
copy.user-name
strip-realm-name
strip-period
}
#PDA Login
elsif (User-Name =~ /(@DOMAIN.EDU)/i) {
copy.user-name
remove-domain
strip-period
}
else {
copy.user-name
strip-period
}
.....OUTPUT.....
Waking up in 3.9 seconds.
User-Name = "DOMAIN\\randy.hall"
Framed-MTU = 1400
Called-Station-Id = "001a.e210.7420"
Calling-Station-Id = "000e.3558.6ea4"
Service-Type = Login-User
Message-Authenticator = 0x3ee4bc7ed916ea6dc3bdb3d527346d95
EAP-Message = 0x0202001701474148414e4e415c72616e64792e68616c6c
NAS-Port-Type = Wireless-802.11
NAS-Port = 3649
NAS-IP-Address = 192.168.0.229
NAS-Identifier = "Company"
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/192.168.0.229/auth-detail-20080424
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/192.168.0.229/auth-detail-20080424
expand: %t -> Thu Apr 24 10:18:40 2008
++[auth_log] returns ok
++? if (User-Name =~ /^(host\/.*)/i)
? Evaluating (User-Name =~ /^(host\/.*)/i) -> FALSE
++? if (User-Name =~ /^(host\/.*)/i) -> FALSE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i)
? Evaluating (User-Name =~ /^(DOMAIN\\.*)/i) -> TRUE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i) -> TRUE
++- entering elsif (User-Name =~ /^(DOMAIN\\.*)/i)
expand: %{User-Name} -> DOMAIN\randy.hall
copy.user-name: Added attribute Stripped-User-Name with value
'DOMAIN\randy.hall'
+++[copy.user-name] returns ok
expand: ^(.*[\/]+) -> ^(.*[\/]+)
strip-realm-name: Does not match: Stripped-User-Name = DOMAIN andy.halll
+++[strip-realm-name] returns ok
expand: [.] -> [.]
expand: ->
strip-period: Changed value for attribute Stripped-User-Name from 'DOMAIN
andy.halll' to 'DOMAIN andy halll'
+++[strip-period] returns ok
++- elsif (User-Name =~ /^(DOMAIN\\.*)/i) returns ok
++ ... skipping elsif for request 2: Preceding "if" was taken
++ ... skipping else for request 2: Preceding "if" was taken
++[chap] returns noop
++[mschap] returns noop
--
View this message in context: http://www.nabble.com/User-Name-attribute-being-evaluated-as-regular-expression----tp16850734p16850734.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list