Rejected: Realm does not have at least one dot separator

Sat Jun 27 06:17:11 CEST 2015

I built this 3.0.8, on redhat 6.6, by tweaking the src rpm from

http://software.opensuse.org/download.html?project=home%3Afreeradius%3A3.0.x%3Acentos&package=freeradius

Could it be that I need specific version pcre ? I installed pcre-devel,
rebuilt the rpms, also tried dirct "make install" frm the build dir...

any hints highly appreciated... as I can't see how to further troubleshoot
this issue...

Thanks,
Mohamed.

On Fri, Jun 26, 2015 at 12:03 PM, Mohamed Lrhazi <
Mohamed.Lrhazi at georgetown.edu> wrote:

> Hello,
>
> I am redeploying 3.0.8 on a new system using the same config files as my
> existing prod systems... but in the new system, I get this error...
>
> Username does have a dot in the realm... but the expression somehow
> fails...
>
> (0) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (User-Name != "%{tolower:%{User-Name}}") {
> (0)       EXPAND %{tolower:%{User-Name}}
> (0)          --> *georgetown_test at eduroamus.edu
> <georgetown_test at eduroamus.edu>*
> (0)       if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
> (0)       if (User-Name =~ / /) {
> (0)       if (User-Name =~ / /)  -> FALSE
> (0)       if (User-Name =~ /@.*@/ ) {
> (0)       if (User-Name =~ /@.*@/ )  -> FALSE
> (0)       if (User-Name =~ /\\.\\./ ) {
> (0)       if (User-Name =~ /\\.\\./ )  -> FALSE
> (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
> (0)      * if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
> TRUE*
> (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   {
> (0)         update reply {
> (0)           Reply-Message += "*Rejected: Realm does not have at least
> one dot separator*"
> (0)         } # update reply = noop
> (0)         [reject] = reject
> (0)       } # if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> = reject
> (0)     } # policy filter_username = reject
> (0)   } # authorize = reject
> (0) Using Post-Auth-Type Reject
>
>
> In the config, the rule looks like so:
>
> sudo grep -A4 -B5 -r "dot separator" /etc/raddb
> /etc/raddb/policy.d/filter-     #  must have at least 1 string-dot-string
> after @
> /etc/raddb/policy.d/filter-     #  e.g. "user at site.com"
> /etc/raddb/policy.d/filter-     #
> /etc/raddb/policy.d/filter-     if ((User-Name =~ /@/) && (User-Name !~
> /@(.+)\\.(.+)$/))  {
> /etc/raddb/policy.d/filter-             update reply {
> /etc/raddb/policy.d/filter:                     Reply-Message +=
> "Rejected: Realm does not have at least one dot separator"
> /etc/raddb/policy.d/filter-             }
> /etc/raddb/policy.d/filter-             reject
> /etc/raddb/policy.d/filter-     }
> /etc/raddb/policy.d/filter-
>
>
> Thanks,
> Mohamed.
>