force_check_config - how to use?

[Alan DeKok]

William Bulley wrote:
> Thanks.  I came across this while trying to debug a gnarly situation with
> the mschap module.  The configs in modules/mschap include at the end:
> 
>    #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
>       --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
>       --challenge=%{mschap:Challenge:-00}
>       --nt-response=%{mschap:NT-Response:-00}"
> 
> This was changed by an adminstrator to --username=%{mschap:User-Name:-None}
> except that the leading left brace ("{") was omitted...   :-(

  That's a run-time expansion.  Checking the config won't help.

> The output of radiusd -XC concluded that "Configuration appears to be OK."
> when in fact mschap authentications could never recover the User-Name when
> ntlm_auth was given --username=%mschap:User-Name:-None} to deal with...

  Exactly.

> My question: is there any way to parse and check the "value" of the
> ntlm_auth variable in the modules/mschap file for valid syntax?

  No.  It can only be checked by running the server.

> It doesn't seem that this ntlm_auth variable was expanded when the config
> file was read.

  It's not.  It's expanded at *run time*, when the server receives a packet.


> After this comment is an if statement "if (value == dflt)" which, if true,

  You're lost in the weeds.  Don't bother reading the source, it won't help.

> ...  The net result is that the human
> error (see typo above) was not discovered while configuration checking
> with -XC which gave a false positive indication.  Very confusing...

  No.  "-XC" succeeding means that the configuration is *superficially*
OK.  It's not a substitute for doing functional tests.

  The ntlm_auth line is expanded at run time, using data taken from the
packet.  That is the *only* time that the server can discover an error.
 It can't discover the error when it loads the configuration, because
the server core doesn't know which strings should be expanded, and what
data should be put in the expansion.

  Alan DeKok.