Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)
Alexander Clouter
alex at digriz.org.uk
Fri Jul 15 16:49:34 CEST 2011
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>>Unfortunately, when you set nostrip in the config, it doesn't add a
>>Stripped-User-Name attribute to the request, but when you unset it,
>>rlm_realms adds a Stripped-User-Name attribute and also updates the
>>User-Name attribute to the same value.
>
> I am 90% sure that's not what rlm_realm does. We use unlang to process
> realms now, but I am certain we used it with nostrip and it left the
> original User-Name intact and populated Stripped-User-Name.
>
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
More information about the Freeradius-Users
mailing list