From: Alan T. DeKok <aland@freeradius.org>
Date: Sun, 28 Mar 2021 14:24:35 +0000 (-0400)
Subject: add more WARNINGs so that people who read them will be enlightened.
X-Git-Tag: release_3_0_22~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e26b9f8e14fa97a8de94c43b3b9e55294334f645;p=thirdparty%2Ffreeradius-server.git

add more WARNINGs so that people who read them will be enlightened.

The default configuration depends on either User-Name or
Stripped-User-Name containing the identity of the user logging in.
If the identity is anonymized, and there's no Stripped-User-Name,
we need to warn the administrator that there is not enough
information to identify the user.
---

diff --git a/src/main/auth.c b/src/main/auth.c
index d43d65e46e..c3b776083e 100644
--- a/src/main/auth.c
+++ b/src/main/auth.c
@@ -861,6 +861,22 @@ int rad_virtual_server(REQUEST *request)
 	}
 
 	if (request->reply->code == PW_CODE_ACCESS_ACCEPT) {
+		/*
+		 *	Check that there is a name which can be used
+		 *	to identify the user.  The configuration
+		 *	depends on User-Name or Stripped-User-Name
+		 *	existing, and being (mostly) unique to that
+		 *	user.
+		 */
+		if (!request->parent &&
+		    (request->username->da->attr == PW_USER_NAME) &&
+		    (request->username->vp_strvalue[0] == '@') &&
+		    !fr_pair_find_by_num(request->packet->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY)) {
+			RWDEBUG("User-Name is anonymized, and no Stripped-User-Name exists.");
+			RWDEBUG("It may be difficult or impossible to identify the user");
+			RWDEBUG("Please update Stripped-User-Name with information which identifies the user");
+		}
+
 		rad_postauth(request);
 	}