(RADIATOR) Rejecting users with not allowed characters in username

[Hugh Irvine]

Hello Karel -

At 15:42 +0200 01/7/30, c.w.vandervelden at kpn.com wrote:
>Hello there,
>
>We recently started billing to our customers, but now I'm confronted 
>with users trying to get a workaround.
>
>In our authentication we make use of an LDAP server. Users are now 
>trying to log in with characters like:
>* and \
>
>The LDAP authentication succeeds (with eg. * being interpreted as a 
>wild card), and next the billing fails at first-> user not found (we 
>manually make sure the record does get recorded).
>
>Question:
>How do I prevent authentication to succeed?
>
>Do I need to use PreAuthHook code to reject these creative users?
>
>Anybody suggestions?

This topic has been discussed many times on the list, however my 
recommendation is always to set up a special Handler to reject such 
usernames immediately. Obviously, you must use Handlers in your 
configuration file to be able to do this:

# set up AuthBy to reject everything

<AuthBy FILE>
	Identifier RejectUsers
	Filename %D/reject.users
</AuthBy>

# set up a Handler to reject illegal characters in usernames
# this will reject all characters not in the list

<Handler User-Name = /[^A-Za-z0-9\.\-\_\@}/>
	AuthBy RejectUsers
</Handler>

And the file "reject.users" would contain this:

# reject.users

DEFAULT Auth-Type = Reject


Note that in the next version of Radiator you will be able to do this 
with a global paramater in the configuration file.

hth

Hugh

-- 

NB: I am travelling this week, so there may be delays in our correspondence.

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20010731/cf186d57/attachment.html>