Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Jacob Dawson
dawson at vt.edu
Thu Jul 14 19:31:04 CEST 2011
So I played with my copy of the code to change what nostrip being unset means (now, it writes the Stripped-User-Name attribute, but no longer rewrites the User-Name attribute with the stripped username), and I'm still running into problems:
(0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson"
(0) HOKIES : Found realm "~HOKIES"
(0) HOKIES : Adding Stripped-User-Name = "dawson"
(0) HOKIES : Adding Realm = "hokies"
(0) HOKIES : Proxying request from user dawson to realm ~HOKIES
(0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES"
(0) [HOKIES] = updated
(0) guest : Request already proxied. Ignoring.
(0) [guest] = ok
(0) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
(0) ... skipping elsif for request 0: Preceding "if" was taken
(0) eap : Request is supposed to be proxied to Realm ~HOKIES. Not doing EAP.
(0) [eap] = noop
(0) sql : expand: %{Stripped-User-Name} ->
(0) sql : sql_set_user escaped user --> ''
There at the end, what's ending up in the sql module just does NOT have Stripped-User-Name set, and that's driving me batty. The only way I've ever had that working was to manually, in unlang, set it to a fixed string (Stripped-User-Name := dawson).
Any ideas what's causing this difficulty?
-Jacob
On 14 Jul 2011, at 08:49, Jacob Dawson wrote:
>
> On 14 Jul 2011, at 03:42, Alexander Clouter wrote:
>
>> In article <795D5EE4-7536-431E-926A-98E70EFA1771 at vt.edu> you wrote:
>> Although to prevent down the road severe levels of pain when enabling
>> eduroam you should be using something like 'dawson at hokies.vt.edu', could
>> you not just use 'ntdomain' (a built in module that will do this for
>> you)? 'ntdomain' should create Realm and Stripped-User-Name in the
>> manner you want.
> Are you suggesting that using a prefix domain like that will cause problems, or that I should be using the realms module?
> I have no problem with using the module, as it's worked well for the proxying side of things, but I need to be able to authorize the users on our domain, and that means I need to get a stripped username and pass it to the DB. I'll poke at it and see if I can get that side working.
>
>>
>> I was going to ask why you were not doing the perl stuff in unlang. :)
>>
> It seemed like a good idea at the time.
>
>>> (1) ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/)
>>> (1) expand: %{User-Name} -> hokies\dawson
>>> ERROR: Failed compiling regular expression: Unmatched ( or \(
>>> (1) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
>>>
>>> where the relevant part of sites-enabled/default authorize section
>> looks thus:
>>>
>>> elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){
>>> update request{
>>> Stripped-User-Name := "%{$`}"
>>> }
>>> }
>>>
>> $' and $` is a perlism. You want something like (look at policy.conf
>> rewrite.calling_station_id and rewrite.called_station_id as an example):
>> ----
>> if (User-Name =~ /^[^\\]\\?(.*)$/) {
>> update request {
>> Stripped-User-Name := "%{1}"
>> }
>> }
>> ----
>>
>> Untested, but hopefully you get the idea. :)
> This works a little better:
> elsif("%{User-Name}" =~ /^(.*)\\\\?(.*)$/){
> update request{
> Stripped-User-Name := "%{2}"
> }
> }
>
> But gives this:
> (5) ? Evaluating ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE
> (5) ? elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE
> (5) elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {
> (5) - entering elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {...}
> (5) update request {
> (5) expand: %{2} ->
> (5) } # update request = updated
> (5) - elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) returns updated
> (5) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
> ....
> (5) sql : expand: %{Stripped-User-Name} ->
> (5) sql : sql_set_user escaped user --> ''
>
>
> Not sure what I should be doing there. Changed it to %{0} and also to %{1} and both gave me hokies\dawson, which was at least successfully written into Stripped-User-Name.
>
> Would love some more insight into how unlang handles these things, as I'm sure we'll run into a use for it in the future, even if I manage a realms-based solution to this.
>
> Thanks much,
> - Jacob
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list