Recursive string expansion

Dan Breslau dbreslau at
Fri May 26 22:43:50 CEST 2017

I have an issue with recursive string expansion -- that is, it is 
recursing in a situation where I'd rather it didn't. Specifically, with 
freeradius 3.0.13, in policy.d/moonshot_targeted_ids, if I set

targeted_id_salt = '${changeme'

then I get the error:

Fri May 26 20:23:37 2017 : Error: 
/etc/freeradius/policy.d/moonshot-targeted-ids[40]: Reference 
"${changeme%{tolower}" not found
Fri May 26 20:23:37 2017 : Error: Failed expanding section name
Fri May 26 20:23:37 2017 : Error: 
/etc/freeradius/policy.d/moonshot-targeted-ids[41]: Failed allocating 
memory for section
Fri May 26 20:23:37 2017 : Error: Errors reading or parsing 

This seems to be a reference to these two lines (starting at line 40) :

         if (&outer.request:GSS-Acceptor-Host-Name) {
                 if ("%{echo:/usr/bin/uuid -v 5 
=~ /^([^ ]+)([ ]*)$/) {

So it definitely looks like ${policy.targeted_id_salt} is expanded once, 
and then something attempts to expand the expanded string, which fails 
because '${changeme' is invalid xlat syntax.

I haven't found any user documentation indicating whether string 
expansion is recursive. I did find an older post by Arran where he says 
that "rlm_sql does recursive xlat" (see 
This makes me wonder whether this behavior is decided upon by the 
module's implementer.

If there is a way to prevent this behavior (i.e., force a string to be 
expanded non-recursively), I'd love to hear about it. I'd be happy to 
file a bug (or feature request) if that would be appropriate.


Dan Breslau

More information about the Freeradius-Users mailing list