PAP password

Doug Hardie bc979 at lafn.org
Wed May 13 07:38:14 CEST 2009 

On 12 May 2009, at 20:28, Doug Hardie wrote:

>
> On 12 May 2009, at 13:29, Doug Hardie wrote:
>
>> V 2.1.5.  I am having a problem with PAP not using the proper user  
>> id.  IF the user id is just a plain
>> <user_id> then it works properly.  However, I have some realms  
>> setup that have prefixes and suffixes e.g., DUB+<user_id>@lafn.   
>> PAP is trying to find the user_id DUB+<user_id>@lafn rather than  
>> the stripped user id <user_id> and hence it doesn't find a password  
>> for the user.  Everything works just fine if I add Auth-Type :=  
>> Accept to the users file, but thats not a great way to run a  
>> railroad.  Obviously I missed something.
>>
>> hints has:
>>
>> DEFAULT Prefix == "DUB+", Suffix == "@lafn", Strip-User-Name = Yes
>>       Hint = "SlipStream"
>>
>>
>> What have I missed?
>
> I seem to have reached a dead end with this.  Version 1.x would  
> strip both the prefix and the suffix in Stripped-User-Name and then  
> use that to find the password.  Version 2.x will strip one or the  
> other, but not both.  From what I can see in presufcmp there appears  
> to be no easy way to get it to strip both.  I have tried a number of  
> kludges in hints to try and get that done.  None seem to work.  I am  
> having to run a production server with Auth-Type := Accept to keep  
> things up and running, but this is not really acceptable.
>
> One kludge that appears might work is in paircmp.c at line 142 add:
>
> 	for (len=0; len<strlen(rest); len++)
> 		if (rest[len] == '\@') rest[len] = '\0';
>
> I believe that would work since when both a prefix and suffix are  
> present the prefix is removed and the suffix remains.  All my  
> suffixes have a @.

The above method works for striped-user-name but authentication still  
has DUB+<user_id>.  There is a most interesting worked example in the  
wiki that I adapted:

DEFAULT User-Name =~ "DUB+([^@]+)@*"
         User-Name := "%{1}",
         Hint = "SlipStream"

This almost works.  The authentication is done using  +<user_id> so  
the basic problem has a solution but the regex needs some help.  I  
don't need to retain the suffix or prefix but there are several  
different prefixes so I need to check for each separately.  I don't  
have a lot of experience with regex so it should be simple, but  
haven't found it yet.

More information about the Freeradius-Users mailing list