How does Stripped-User-Name get evaluated?

Alan DeKok aland at
Tue Apr 17 18:21:38 CEST 2018

On Apr 17, 2018, at 9:59 AM, Nick Howitt <nick at> wrote:
> I am doing an ldap lookup with /etc/raddb/mods-available/ldap:
>     user {
>         base_dn = "${..base_dn}"
>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> It comes back correctly with a simple username, but with a Domain username such as "test/MINI-1.CLEARSYSTEM" it always tries to look up user "test/MINI-1.CLEARSYSTEM".

  Because you don't have "MINI-1.CLEARSYSTEM" set up as a realm.

> Changing
>   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> to
>   filter = "(uid=%{Stripped-User-Name})"
> looks up a blank user and
>   filter = "(uid=%{User-Name})"
> looks up user "test/MINI-1.CLEARSYSTEM" which fails.
> I think I am thinking is the function creating Stripped-User-Name is not being called. If so, how can I fix it?

  Read the debug log.  It shows you when it's creating a Stripped-User-Name.

  Read the proxy.conf file, and the "realms" module.  They take care of defining realms and stripping user names.

  Alan DeKok.

More information about the Freeradius-Users mailing list