Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)

Jacob Dawson dawson at vt.edu
Thu Jul 14 19:57:19 CEST 2011


Further testing suggests that neither of the Perl or Realm modules is applying the Stripped-User-Name in the right scope.  Perl does that first thing, when a request comes in, and my output says that as soon as perl is done, it's unset.  Similarly, as soon as the hokies realm module is done applying a stripped username, it's unset when it returns, as evidenced by the new output below:
(0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson"
(0) HOKIES : Found realm "~HOKIES"
(0) HOKIES : Adding Stripped-User-Name = "dawson"
(0) HOKIES : Adding Realm = "hokies"
(0) HOKIES : Proxying request from user dawson to realm ~HOKIES
(0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES" 
(0)    [HOKIES] = updated
(0) guest : Request already proxied.  Ignoring.
(0)    [guest] = ok
(0)    ? if ("%{User-Name}" =~ /.*/)
(0) 	expand: %{User-Name} -> hokies\dawson
(0) ? Evaluating ("%{User-Name}" =~ /.*/) -> TRUE
(0)    ? if ("%{User-Name}" =~ /.*/) -> TRUE
(0)     if ("%{User-Name}" =~ /.*/) {
(0)    - entering if ("%{User-Name}" =~ /.*/) {...}
(0)     - if ("%{User-Name}" =~ /.*/) = notfound
(0)    - if ("%{User-Name}" !~ /^.*\/.*$/) returns notfound
(0)    ? if ("%{Stripped-User-Name}" =~ /.*/)
(0) 	expand: %{Stripped-User-Name} -> 
(0) ? Evaluating ("%{Stripped-User-Name}" =~ /.*/) -> TRUE
(0)    ? if ("%{Stripped-User-Name}" =~ /.*/) -> TRUE
(0)     if ("%{Stripped-User-Name}" =~ /.*/) {
(0)    - entering if ("%{Stripped-User-Name}" =~ /.*/) {...}
(0)     - if ("%{Stripped-User-Name}" =~ /.*/) = notfound
(0)    - if ("%{User-Name}" !~ /^.*\/.*$/) returns notfound
(0)   - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated

Am I missing something, and just have something blindingly obvious misconfigured, or is it misbehaving?  The only way I've successfully written the Stripped-User-Name attribute onto the Access-Request has been in unlang itself with a static string, as I was unable to get the regexp parsing to play nice.

-Jacob

On 14 Jul 2011, at 13:31, Jacob Dawson wrote:

> So I played with my copy of the code to change what nostrip being unset means (now, it writes the Stripped-User-Name attribute, but no longer rewrites the User-Name attribute with the stripped username), and I'm still running into problems:
> (0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson"
> (0) HOKIES : Found realm "~HOKIES"
> (0) HOKIES : Adding Stripped-User-Name = "dawson"
> (0) HOKIES : Adding Realm = "hokies"
> (0) HOKIES : Proxying request from user dawson to realm ~HOKIES
> (0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES" 
> (0)    [HOKIES] = updated
> (0) guest : Request already proxied.  Ignoring.
> (0)    [guest] = ok
> (0)   - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
> (0)    ... skipping elsif for request 0: Preceding "if" was taken
> (0) eap : Request is supposed to be proxied to Realm ~HOKIES.  Not doing EAP.
> (0)   [eap] = noop
> (0) sql : 	expand: %{Stripped-User-Name} -> 
> (0) sql : sql_set_user escaped user --> ''
> 
> There at the end, what's ending up in the sql module just does NOT have Stripped-User-Name set, and that's driving me batty.  The only way I've ever had that working was to manually, in unlang, set it to a fixed string (Stripped-User-Name := dawson).
> 
> Any ideas what's causing this difficulty?
> 
> -Jacob
> 
> 
> On 14 Jul 2011, at 08:49, Jacob Dawson wrote:
> 
>> 
>> On 14 Jul 2011, at 03:42, Alexander Clouter wrote:
>> 
>>> In article <795D5EE4-7536-431E-926A-98E70EFA1771 at vt.edu> you wrote:
>>> Although to prevent down the road severe levels of pain when enabling
>>> eduroam you should be using something like 'dawson at hokies.vt.edu', could
>>> you not just use 'ntdomain' (a built in module that will do this for
>>> you)?  'ntdomain' should create Realm and Stripped-User-Name in the
>>> manner you want.
>> Are you suggesting that using a prefix domain like that will cause problems, or that I should be using the realms module?
>> I have no problem with using the module, as it's worked well for the proxying side of things, but I need to be able to authorize the users on our domain, and that means I need to get a stripped username and pass it to the DB.  I'll poke at it and see if I can get that side working.
>> 
>>> 
>>> I was going to ask why you were not doing the perl stuff in unlang. :)
>>> 
>> It seemed like a good idea at the time.
>> 
>>>> (1)    ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/)
>>>> (1)     expand: %{User-Name} -> hokies\dawson
>>>> ERROR: Failed compiling regular expression: Unmatched ( or \(
>>>> (1)   - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
>>>> 
>>>> where the relevant part of sites-enabled/default authorize section 
>>> looks thus:
>>>> 
>>>> elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){
>>>> update request{
>>>>  Stripped-User-Name := "%{$`}"
>>>> }
>>>> }
>>>> 
>>> $' and $` is a perlism.  You want something like (look at policy.conf
>>> rewrite.calling_station_id and rewrite.called_station_id as an example):
>>> ----
>>> if (User-Name =~ /^[^\\]\\?(.*)$/) {
>>> update request {
>>>  Stripped-User-Name := "%{1}"
>>> }
>>> }
>>> ----
>>> 
>>> Untested, but hopefully you get the idea.  :)
>> This works a little better:
>> elsif("%{User-Name}" =~ /^(.*)\\\\?(.*)$/){
>>                       update request{
>>                               Stripped-User-Name := "%{2}"
>>                       }
>>               }
>> 
>> But gives this:
>> (5) ? Evaluating ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE
>> (5)    ? elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE
>> (5)     elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {
>> (5)    - entering elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {...}
>> (5)     update request {
>> (5) 	expand: %{2} -> 
>> (5)     } # update request = updated
>> (5)    - elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) returns updated
>> (5)   - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated
>> ....
>> (5) sql : 	expand: %{Stripped-User-Name} -> 
>> (5) sql : sql_set_user escaped user --> ''
>> 
>> 
>> Not sure what I should be doing there.  Changed it to %{0} and also to %{1} and both gave me hokies\dawson, which was at least successfully written into Stripped-User-Name.
>> 
>> Would love some more insight into how unlang handles these things, as I'm sure we'll run into a use for it in the future, even if I manage a realms-based solution to this.
>> 
>> Thanks much,
>> - Jacob
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list