split_username_nai clobbering user-name?
Adam Bishop
Adam.Bishop at jisc.ac.uk
Mon Oct 17 17:53:07 CEST 2016
Hopefully the final issue I have porting this config!
I'm using the suffix module for proxying, and the split_username_nai policy.
If I put suffix before split, everything is fine. If I put split before suffix, proxying breaks because the suffix module seems to use Stripped-User-Name.
For my configuration, I don't think it matters which order I call the module and the policy in, but I'm surprised by the behaviour - I can't see the policy updating the User-Name entry.
Failure:
(58) policy split_username_nai {
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
No matches
Adding 4 matches
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(58) update request {
(58) 1/4 Found: anonymous (10)
(58) EXPAND %{1}
(58) --> anonymous
(58) &Stripped-User-Name := anonymous
(58) 3/4 Found: dev.ja.net (11)
(58) EXPAND %{3}
(58) --> dev.ja.net
(58) &Stripped-User-Domain = dev.ja.net
(58) } # update request = noop
(58) modsingle[authorize]: calling updated (rlm_always)
(58) modsingle[authorize]: returned from updated (rlm_always)
(58) [updated] = updated
(58) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(58) ... skipping else: Preceding "if" was taken
(58) } # policy split_username_nai = updated
(58) modsingle[authorize]: calling suffix (rlm_realm)
(58) suffix: Checking for suffix after "@"
(58) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(58) suffix: No trust router configured, skipping dynamic realm lookup
(58) suffix: No such realm "NULL"
(58) modsingle[authorize]: returned from suffix (rlm_realm)
(58) [suffix] = noop
Success:
(58) modsingle[authorize]: calling suffix (rlm_realm)
(58) suffix: Checking for suffix after "@"
(58) suffix: Looking up realm "dev.ja.net" for User-Name = "anonymous at dev.ja.net"
(58) suffix: No trust router configured, skipping dynamic realm lookup
(58) suffix: No such realm "dev.ja.net"
(58) modsingle[authorize]: returned from suffix (rlm_realm)
(58) [suffix] = noop
(58) policy split_username_nai {
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
No matches
Adding 4 matches
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(58) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(58) update request {
(58) 1/4 Found: anonymous (10)
(58) EXPAND %{1}
(58) --> anonymous
(58) &Stripped-User-Name := anonymous
(58) 3/4 Found: dev.ja.net (11)
(58) EXPAND %{3}
(58) --> dev.ja.net
(58) &Stripped-User-Domain = dev.ja.net
(58) } # update request = noop
(58) modsingle[authorize]: calling updated (rlm_always)
(58) modsingle[authorize]: returned from updated (rlm_always)
(58) [updated] = updated
(58) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(58) ... skipping else: Preceding "if" was taken
(58) } # policy split_username_nai = updated
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list