[freeside] export

Dave Burgess burgess at mitre.org
Fri Jan 4 15:31:02 PST 2002 

Jeff Finucane wrote:

> Dave Burgess <burgess at mitre.org> wrote on Fri, 04 Jan 2002 15:57:27 -0600....
>
> +----------
> | >   Perhaps there should be an '@' in the code at line 289.
> | >
> | >   $username=$svc_acct->username . '@' . $svc_domain->domain;
> | >
> | >   would cause 'joe at domain.com' to appear in the radius tables.
> | >
> | >   If you have other ideas about the username_policy behavior, I'd be
> | > interested in hearing of them.  Clearly duplicate usernames in the
> | > radius tables would be a bad thing.
> |
> | I can't find a ready reference on what constitutes a valid username in a RADIUS file.
> |
> | I think that would break RADIUS.  The syntax for the RADIUS file is the username (usually
> | sans domain) followed by the Check Items on the same line, followed by the set items in
> | the rest of the file.  I haven't looked at the code yet, but I have been working with
> | RADIUS files for a long time.  I think the idea is that the username with the domain name
> | concatenated is a reasonable way to identify multiple users from multiple domains.
> | However it happens, the user probably needs to log in with the domain name on the end.
> |
> +----------
>

The username passed from the server to the RADIUS server would have to include whatever the user
typed in as their username.  My experience with our RADIUS daemon (pretty much limited to a
heavily modified Livingston 2.1) was that anything but a very limited set of characters (period,
dash, underscore) would cause our radiusd to puke.  Of course, ICRadius, Cistron, and FreeRadius
all seem to be more standards compliant (thanks for that RFC reference - I just couldn't find
it) and hence allow all kinds of kool
stuff.

>
>  The original message referenced the tables for ICRadius support.  ICRadius
> is not broken by '@' in usernames.  I would suggest not having local domains
> overlap remote realms :|

That would be bad!  I totally agree.  In fact, it's an issue that I am getting ready to wrestle
with in full vigor here in the next couple of weeks.

>
>
>   According to RFC2865 the username attribute MAY contain an '@' ...
> in fact it MAY contain a lot of weird stuff...  text containing UTF-8
> encoded 10646 characters, a network access identifier as described in
> RFC2486, or a distinguished name in ASN.1 form.
>
>   I am failing to see how radius breaks.  Please enlighten me.

I didn't say would - I said might.  It would break my RADIUS daemon, but not most of the newer
ones apparently.

I suppose I'm going to have to update here one of these days....

Dave

More information about the freeside-users mailing list