User-Name attribute being evaluated as regular expression???

bmccorkle network.administrator at gahanna.gov
Thu Apr 24 16:30:20 CEST 2008


Hello,

  I have an issue and haven't been able to find any online help.  I thought
I had freeradius working correctly but discovered yesterday that if a user's
name starts with 'r' then they can't login.  I setup an unlang if statement
(in the default sites available) to handle whether the login is a computer,
user, or pda request (I'm assuming this is the best way to do it).  The
statement copies the User-Name attribute over to a Stripped-User-Name
attribute and manipulates the Stripped-User-Name as necessary. Normally when
a user logs in it's in the format:   DOMAIN\first.lastname.  I created some
attr_rewrite modules to strip the domain and period out of the username.

It was working fine, but I discovered if Randy Hall logs in (User-Name =
DOMAIN\randy.hall); Stripped-User-Name becomes:  
DOMAIN andy halll   (domain is not removed, the r in his name disappears and
the last letter seems to be doubled (I tried this with another user and it
removed the r from his name and doubled the 's' at the end of his name as
well).

So what is going on exactly?  I'm not an expert but it seems like the
attribute is being evaluated as a regular expression???  I commented out all
the attr_rewrite modules except for the one that copies the user-name over
to stripped-user-name and noticed the stripped-user-name was still incorrect
in my ldap search.  

.....attr_rewrite section in RADIUSD.CONF.....

        attr_rewrite copy.user-name {
        attribute = Stripped-User-Name
        new_attribute = yes
        searchfor = ""
        searchin = packet
        replacewith = "%{User-Name}"
        }

        attr_rewrite add-dollar-sign {
        attribute = Stripped-User-Name
        searchfor = "^(host/.*)"
        searchin = packet
        new_attribute = no
        replacewith = "%{1}$"
        }

        attr_rewrite strip-realm-name {
        attribute = Stripped-User-Name
        new_attribute = no
        searchin = packet
        searchfor = "^(.*[\\/]+)"
        replacewith = ""
        max_matches = 1
        }

        attr_rewrite remove-domain {
        attribute = Stripped-User-Name
        new_attribute = no
        searchfor = "\.DOMAIN\.EDU"
        searchin = packet
        replacewith = ""
        max_matches = 1
        }

        attr_rewrite pda-fix {
        attribute = Stripped-User-Name
        new_attribute = no
        searchfor = "@DOMAIN"
        searchin = packet
        replacewith = ""
        max_matches = 1
        }

        attr_rewrite strip-period {
        attribute = Stripped-User-Name
        new_attribute = no
        searchin = packet
        searchfor = "[.]"
        replacewith = " "
        max_matches = 1
        }


.....If statement in default under sites-available.....

        #Host Login
        if (User-Name =~ /^(host\/.*)/i) {
                copy.user-name
                strip-realm-name
                remove-domain
        }
        #User Login
        elsif (User-Name =~ /^(DOMAIN\\.*)/i) {
                copy.user-name
                strip-realm-name
                strip-period
        }
        #PDA Login
        elsif (User-Name =~ /(@DOMAIN.EDU)/i) {
                copy.user-name
                remove-domain
                strip-period
        }
        else {
                copy.user-name
                strip-period
        }


.....OUTPUT.....

Waking up in 3.9 seconds.
        User-Name = "DOMAIN\\randy.hall"
        Framed-MTU = 1400
        Called-Station-Id = "001a.e210.7420"
        Calling-Station-Id = "000e.3558.6ea4"
        Service-Type = Login-User
        Message-Authenticator = 0x3ee4bc7ed916ea6dc3bdb3d527346d95
        EAP-Message = 0x0202001701474148414e4e415c72616e64792e68616c6c
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 3649
        NAS-IP-Address = 192.168.0.229
        NAS-Identifier = "Company"
+- entering group authorize
++[preprocess] returns ok
        expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/192.168.0.229/auth-detail-20080424
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/192.168.0.229/auth-detail-20080424
        expand: %t -> Thu Apr 24 10:18:40 2008
++[auth_log] returns ok
++? if (User-Name =~ /^(host\/.*)/i)
? Evaluating (User-Name =~ /^(host\/.*)/i) -> FALSE
++? if (User-Name =~ /^(host\/.*)/i) -> FALSE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i)
? Evaluating (User-Name =~ /^(DOMAIN\\.*)/i) -> TRUE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i) -> TRUE
++- entering elsif (User-Name =~ /^(DOMAIN\\.*)/i)
        expand: %{User-Name} -> DOMAIN\randy.hall
copy.user-name: Added attribute Stripped-User-Name with value
'DOMAIN\randy.hall'
+++[copy.user-name] returns ok
        expand: ^(.*[\/]+) -> ^(.*[\/]+)
strip-realm-name: Does not match: Stripped-User-Name = DOMAIN andy.halll
+++[strip-realm-name] returns ok
        expand: [.] -> [.]
        expand:   ->
strip-period: Changed value for attribute Stripped-User-Name from 'DOMAIN
andy.halll' to 'DOMAIN andy halll'
+++[strip-period] returns ok
++- elsif (User-Name =~ /^(DOMAIN\\.*)/i) returns ok
++ ... skipping elsif for request 2: Preceding "if" was taken
++ ... skipping else for request 2: Preceding "if" was taken
++[chap] returns noop
++[mschap] returns noop

-- 
View this message in context: http://www.nabble.com/User-Name-attribute-being-evaluated-as-regular-expression----tp16850734p16850734.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list