Variable passing question between modules

[Matthew Newton]

On Fri, 2019-11-01 at 16:19 +0000, Adam Taylor wrote:
> (0)   authorize {
> (0)     if (User-Name =~ /@ulm\.edu$$/i){
> (0)     if (User-Name =~ /@ulm\.edu$$/i) -> FALSE
> (0)     if (User-Name =~ /@warhawks\.ulm\.edu$$/i) {
> (0)     if (User-Name =~ /@warhawks\.ulm\.edu$$/i)  -> TRUE
> (0)     if (User-Name =~ /@warhawks\.ulm\.edu$$/i)  {
> (0)       update request {
> (0)         Tmp-String-0 = "Students"
> (0)       } # update request = noop

Outer request.

> (7) server inner-tunnel {
> (7)   session-state: No cached attributes
> (7)   # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7)     authorize {
> (7)       [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: Looking up realm "warhawks.ulm.edu" for User-Name = "
> garretdr at warhawks.ulm.edu"
> (7) suffix: Found realm "warhawks.ulm.edu"
> (7) suffix: Adding Stripped-User-Name = "garretdr"
> (7) suffix: Adding Realm = "warhawks.ulm.edu"
> (7) suffix: Authentication realm is LOCAL
> (7)       [suffix] = ok
> (7)       update control {
> (7)         &Proxy-To-Realm := LOCAL
> (7)       } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 8 length 84
> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
> (7)       [eap] = updated
> (7)       [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (7) ldap:    --> (uid=garretdr)
> (7) ldap: EXPAND ou=%{request:Tmp-String-0},ou=People,dc=ulm,dc=edu
> (7) ldap:    --> ou=,ou=People,dc=ulm,dc=edu

Inner tunnel.

Move the username check to the inner tunnel so it's generating the Tmp-
String-0 in the right list.

Doing it where it is in the outer section means students can spoof as
staff and vice-versa by editing their anonymous identity.

-- 
Matthew