'Re: User name case insensitivity - revisited'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: User name case insensitivity - revisited
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2022-06-11 22:22:03
Message-ID: 4CECE606-A2E2-4343-8A05-288755D79A47 () deployingradius ! com
[Download RAW message or body]

On Jun 11, 2022, at 2:21 PM, Luveh Keraph <1.41421@gmail.com> wrote:
> 
> I thought I had grasped what is involved in making FreeRADIUS 3.0.* to
> process user names in a case-insensitive way, but I am not so sure now.

  That's a bit of an incorrect understanding.  The server is composed of a bunch of \
modules.  Each module has it's own configuration.  You should be able to configure a \
particular module to do lowercase checking.

> Here is what I have done:
> 
> First, I added the following line in my /etc/raddb/mods-enabled/files:
> 
> key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"

  Or:

	key = "%{tolower:%{%{Stripped-Users-Name}:-%{User-Name}}}"

  This picks either Stripped-User-Name OR User-Name,  and then lowercases the result.

  The line you have above only lowercases User-Name, and leaves Stripped-User-Name \
along.

> I launched my FreeRADIUS server after ths.
> 
> I have the following entry in my /etc/raddb/users file:
> 
> ijk_user1 User-Password != "IJKpassword1"
> ijk_user1 Cleartext-Password := "IJKpassword1"

  Lowercase names there are goo.0

> With this, when I try to ssh as IJK_User1 (notice the mixed case) into a
> system that turns over authentication to my FreeRADIUS server, I get the
> following debugging information at this server:
> 
> Sat Jun 11 11:02:25 2022 : Debug: (0) files: EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Sat Jun 11 11:02:25 2022 : Debug: (0) files:    --> ijk_user1
> Sat Jun 11 11:02:25 2022 : Debug: (0) files: users: Matched entry ijk_user1
> at line 447

  So it matches, that's good.
> 
> Sat Jun 11 11:02:25 2022 : Debug: (0) Sent Access-Accept Id 64 from
> 192.168.0.55.
> 23:1812 to 192.168.0.66:60600 length 0
> 
> Which is fine: the user name gets converted from IJK_User1 to ijk_user1 and
> the authentication with password IJKpassword1 succeeds, as expected.

  That's good.

> I then changed  the relevant entry in my /etc/raddb/users file as follows:
> 
> IJK_User1 User-Password != "IJKpassword1"
> IJK_User1 Cleartext-Password := "IJKpassword1"

   That won't work.

  The "key" configuration is lowercasing the User-Name from the packet.  That \
lowercased name is then used to compare with the names in the "users" file.  The \
comparison there is cases sensitive.

  So it won't work.

> If I understand things correctly, the key = ... line that I added to the
> files file does indeed recast the incoming user name to lowercase.

  Yes.

> However,
> the FreeRADIUS server still compares incoming user names against those in
> the users file in a case sensitive way.

  That's how it works.

> This is fine, but not quite what I was looking for.

  The first example works.  Why worry about it?

> Is it possible to get FreeRADIUS to compare user names (and user
> names alone - not passwords)  in a real case-insensitive way against those
> in the /etc/raddb/users file?

  No.

  There's no configuration item, which says "do comparisons in a case insensitive \
way".

  Your first configuration is correct.  Use it.  Why would you put names into the \
"users" file in random uppercase / lowercase?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic