I don't know if this is something you want to include but I thought I would mail it to you in case you do want it.
This patch causes the rlm_ldap module to reject usernames that have whitespace in them. This was causing me a lot of grief because ldap was accepting usernames with whitespace causing the NAS to send accounting messages with white space. This white space caused the Simultaneous-Use code to break and it also caused a lot of accounting headaches.
There was also one case there a user was authenticated with more than 30 chars of whitespace which broke accounting when the rlm_postgres module when to put that username in a varchar(20) column.
BTW, I can barely hack my way around c so hopefully there isn't anything wrong with my code.
schu
diff -urN rlm_ldap/rlm_ldap.c rlm_ldap.patched/rlm_ldap.c
--- rlm_ldap/rlm_ldap.c Wed Jul 16 14:22:41 2003
+++ rlm_ldap.patched/rlm_ldap.c Wed Jul 16 14:09:09 2003
@@ -148,6 +148,8 @@
#include "modules.h"
#include "rad_assert.h"
+#include <regex.h>
+
#define MAX_FILTER_STR_LEN 1024
#define TIMELIMIT 5
@@ -1002,6 +1004,8 @@
char module_fmsg[MAX_STRING_LEN];
LDAP_CONN *conn;
int conn_id = -1;
+ regex_t re;
+ char *pattern = "[[:space:]]";
DEBUG("rlm_ldap: - authorize");
@@ -1020,6 +1024,17 @@
radlog(L_ERR, "rlm_ldap: zero length username not permitted\n");
return RLM_MODULE_INVALID;
}
+
+ /*
+ * Check for valid input whitespace in names is not permitted
+ */
+ regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB);
+ if (regexec(&re, request->username->strvalue, (size_t) 0, NULL, 0) != 1) {
+ radlog(L_ERR, "rlm_ldap: whitespace in username not permitted\n");
+ return RLM_MODULE_INVALID;
+ }
+ regfree(&re);
+
DEBUG("rlm_ldap: performing user authorization for %s",
request->username->strvalue);
