So I played with my copy of the code to change what nostrip being unset means (now, it writes the Stripped-User-Name attribute, but no longer rewrites the User-Name attribute with the stripped username), and I'm still running into problems: (0) HOKIES : Looking up realm "hokies" for User-Name = "hokies\dawson" (0) HOKIES : Found realm "~HOKIES" (0) HOKIES : Adding Stripped-User-Name = "dawson" (0) HOKIES : Adding Realm = "hokies" (0) HOKIES : Proxying request from user dawson to realm ~HOKIES (0) HOKIES : Preparing to proxy authentication request to realm "~HOKIES" (0) [HOKIES] = updated (0) guest : Request already proxied. Ignoring. (0) [guest] = ok (0) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated (0) ... skipping elsif for request 0: Preceding "if" was taken (0) eap : Request is supposed to be proxied to Realm ~HOKIES. Not doing EAP. (0) [eap] = noop (0) sql : expand: %{Stripped-User-Name} -> (0) sql : sql_set_user escaped user --> ''
There at the end, what's ending up in the sql module just does NOT have Stripped-User-Name set, and that's driving me batty. The only way I've ever had that working was to manually, in unlang, set it to a fixed string (Stripped-User-Name := dawson). Any ideas what's causing this difficulty? -Jacob On 14 Jul 2011, at 08:49, Jacob Dawson wrote: > > On 14 Jul 2011, at 03:42, Alexander Clouter wrote: > >> In article <795d5ee4-7536-431e-926a-98e70efa1...@vt.edu> you wrote: >> Although to prevent down the road severe levels of pain when enabling >> eduroam you should be using something like 'daw...@hokies.vt.edu', could >> you not just use 'ntdomain' (a built in module that will do this for >> you)? 'ntdomain' should create Realm and Stripped-User-Name in the >> manner you want. > Are you suggesting that using a prefix domain like that will cause problems, > or that I should be using the realms module? > I have no problem with using the module, as it's worked well for the proxying > side of things, but I need to be able to authorize the users on our domain, > and that means I need to get a stripped username and pass it to the DB. I'll > poke at it and see if I can get that side working. > >> >> I was going to ask why you were not doing the perl stuff in unlang. :) >> > It seemed like a good idea at the time. > >>> (1) ? elsif ("%{User-Name}" =~ /^(.*\\)(.*)$/) >>> (1) expand: %{User-Name} -> hokies\dawson >>> ERROR: Failed compiling regular expression: Unmatched ( or \( >>> (1) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated >>> >>> where the relevant part of sites-enabled/default authorize section >> looks thus: >>> >>> elsif("%{User-Name}" =~ /^(.*\\)(.*)$/){ >>> update request{ >>> Stripped-User-Name := "%{$`}" >>> } >>> } >>> >> $' and $` is a perlism. You want something like (look at policy.conf >> rewrite.calling_station_id and rewrite.called_station_id as an example): >> ---- >> if (User-Name =~ /^[^\\]\\?(.*)$/) { >> update request { >> Stripped-User-Name := "%{1}" >> } >> } >> ---- >> >> Untested, but hopefully you get the idea. :) > This works a little better: > elsif("%{User-Name}" =~ /^(.*)\\\\?(.*)$/){ > update request{ > Stripped-User-Name := "%{2}" > } > } > > But gives this: > (5) ? Evaluating ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE > (5) ? elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) -> TRUE > (5) elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) { > (5) - entering elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) {...} > (5) update request { > (5) expand: %{2} -> > (5) } # update request = updated > (5) - elsif ("%{User-Name}" =~ /^(.*)\\\\?(.*)$/) returns updated > (5) - if ("%{User-Name}" !~ /^.*\/.*$/) returns updated > .... > (5) sql : expand: %{Stripped-User-Name} -> > (5) sql : sql_set_user escaped user --> '' > > > Not sure what I should be doing there. Changed it to %{0} and also to %{1} > and both gave me hokies\dawson, which was at least successfully written into > Stripped-User-Name. > > Would love some more insight into how unlang handles these things, as I'm > sure we'll run into a use for it in the future, even if I manage a > realms-based solution to this. > > Thanks much, > - Jacob > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html