force_check_config - how to use?

William Bulley web at
Thu Jan 20 15:13:56 CET 2011

According to Alan DeKok <aland at> on Thu, 01/20/11 at 04:09:
> > 
> > This was changed by an adminstrator to --username=%{mschap:User-Name:-None}
> > except that the leading left brace ("{") was omitted...   :-(
>   That's a run-time expansion.  Checking the config won't help.

I got that.  See below.

> > My question: is there any way to parse and check the "value" of the
> > ntlm_auth variable in the modules/mschap file for valid syntax?
>   No.  It can only be checked by running the server.

You are partly right.  See below.

> > It doesn't seem that this ntlm_auth variable was expanded when the config
> > file was read.
>   It's not.  It's expanded at *run time*, when the server receives a packet.

True.  The variable expansion can only occur at run time.

>   No.  "-XC" succeeding means that the configuration is *superficially*
> OK.  It's not a substitute for doing functional tests.

Clearly.  :-)

>   The ntlm_auth line is expanded at run time, using data taken from the
> packet.  That is the *only* time that the server can discover an error.
>  It can't discover the error when it loads the configuration, because
> the server core doesn't know which strings should be expanded, and what
> data should be put in the expansion.

This it true: the ntlm_auth line is expanded at run time.  My question in
this thread is for the consideration of more throrough _syntax_ checking
- without expansion - during the -XC process.  Proper _syntax_ checking
would have caught this gnarly typo.  Discovering the actual problem was
made more difficult by admins assuming that -XC was more than the above
described superficial configuration test.  Thank you for your repsonses.



William Bulley                     Email: web at

72 characters width template ----------------------------------------->|

More information about the Freeradius-Users mailing list