I don't know if this is something you want to include but I thought I would mail it to you in case you do want it.
This patch causes the rlm_ldap module to reject usernames that have whitespace in them. This was causing me a lot of grief because ldap was accepting usernames with whitespace causing the NAS to send accounting messages with white space. This white space caused the Simultaneous-Use code to break and it also caused a lot of accounting headaches.
There was also one case there a user was authenticated with more than 30 chars of whitespace which broke accounting when the rlm_postgres module when to put that username in a varchar(20) column.
BTW, I can barely hack my way around c so hopefully there isn't anything wrong with my code.
schu
diff -urN rlm_ldap/rlm_ldap.c rlm_ldap.patched/rlm_ldap.c --- rlm_ldap/rlm_ldap.c Wed Jul 16 14:22:41 2003 +++ rlm_ldap.patched/rlm_ldap.c Wed Jul 16 14:09:09 2003 @@ -148,6 +148,8 @@ #include "modules.h" #include "rad_assert.h" +#include <regex.h> + #define MAX_FILTER_STR_LEN 1024 #define TIMELIMIT 5 @@ -1002,6 +1004,8 @@ char module_fmsg[MAX_STRING_LEN]; LDAP_CONN *conn; int conn_id = -1; + regex_t re; + char *pattern = "[[:space:]]"; DEBUG("rlm_ldap: - authorize"); @@ -1020,6 +1024,17 @@ radlog(L_ERR, "rlm_ldap: zero length username not permitted\n"); return RLM_MODULE_INVALID; } + + /* + * Check for valid input whitespace in names is not permitted + */ + regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB); + if (regexec(&re, request->username->strvalue, (size_t) 0, NULL, 0) != 1) { + radlog(L_ERR, "rlm_ldap: whitespace in username not permitted\n"); + return RLM_MODULE_INVALID; + } + regfree(&re); + DEBUG("rlm_ldap: performing user authorization for %s", request->username->strvalue);