Unmatched ( or \(, and, more broadly, setting Stripped-User-Name

Jacob Dawson dawson at vt.edu
Thu Jul 14 02:05:21 CEST 2011

So, one of my last things here is making sure I can get at the stripped usernames for my domain users, as they're authorized by their stripped name, not the name w/ which they're authenticating.  Forex, if I'm using my AD credentials to log in, User-Name = hokies\dawson, but I'm authorized for WLAN access as 'dawson,' not 'hokies\dawson.'

That's all well and good, as I should just be able to use Stripped-User-Name in my queries and it'll be fine (assuming it exists, using the :- operator and doing a little logic there, which I have working fine).  However, I haven't found a way, or maybe just the right way, to get the realms module to create that stripped user name at the right time, and when I use the perl module to create it and add it to the list, it doesn't seem to come out the other side, like so:

rlm_perl: Added pair User-Name = hokies\\dawson
rlm_perl: Added pair Stripped-User-Name = dawson
(1)   [perl] = updated
(1)   ? if ("%{Stripped-User-Name}" == "dawson")
(1) 	expand: %{Stripped-User-Name} -> 
(1) ? Evaluating ("%{Stripped-User-Name}" == "dawson") -> FALSE
(1)   ? if ("%{Stripped-User-Name}" == "dawson") -> FALSE

I uncommented the func_authorize = authorize line in modules/perl, and the script to which the perl module points has this for its authorize function:
sub authorize {
        # For debugging purposes only
#       &log_request_attributes;

        # Logic to add stripped user name to request if our realms are recognized
        my $fullUserName = $RAD_REQUEST{'User-Name'};
        #If we have a prefix-determined domain
        if ( $fullUserName  =~/^.*\\(\\)?/i){
                $RAD_REPLY{'Stripped-User-Name'} = $';
                return RLM_MODULE_UPDATED;
        #If we have a suffix-determined domain
        elsif ( $fullUserName =~/\@.*$/){
                $RAD_REPLY{'Stripped-User-Name'} = $`;
                return RLM_MODULE_UPDATED;
        return RLM_MODULE_OK;

Obviously, the regexps are working and the logic is working, based on the debug output, but since in the very next line, Stripped-User-Name is blank again, something's not working here.

I _tried_ getting this working in unlang, but that got mess pretty fast, and started complaining about unmatched parens:
(1)    ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/)
(1) 	expand: %{User-Name} -> hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1)   - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated

where the relevant part of sites-enabled/default authorize section looks thus:

                elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){
                        update request{
                                Stripped-User-Name := "%{$`}"
 (I can't tell if the assignment is working or not, since it never gets that far, but I wouldn't be surprised if it shouldn't work in that state)

One of these ought to be writing the Attribute correctly, but not a one of them has worked.  Manually writing to the attribute works (Stripped-User-Name:="dawson") but that's hardly the right answer.  I'm out of ideas here.  I can't tell if I'm getting unexpected behavior out of FreeRADIUS, or I'm just missing something.


Thanks much,
 - Jacob

More information about the Freeradius-Users mailing list