From e26b9f8e14fa97a8de94c43b3b9e55294334f645 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Sun, 28 Mar 2021 10:24:35 -0400 Subject: [PATCH] add more WARNINGs so that people who read them will be enlightened. The default configuration depends on either User-Name or Stripped-User-Name containing the identity of the user logging in. If the identity is anonymized, and there's no Stripped-User-Name, we need to warn the administrator that there is not enough information to identify the user. --- src/main/auth.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/main/auth.c b/src/main/auth.c index d43d65e46e8..c3b776083e9 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -861,6 +861,22 @@ int rad_virtual_server(REQUEST *request) } if (request->reply->code == PW_CODE_ACCESS_ACCEPT) { + /* + * Check that there is a name which can be used + * to identify the user. The configuration + * depends on User-Name or Stripped-User-Name + * existing, and being (mostly) unique to that + * user. + */ + if (!request->parent && + (request->username->da->attr == PW_USER_NAME) && + (request->username->vp_strvalue[0] == '@') && + !fr_pair_find_by_num(request->packet->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY)) { + RWDEBUG("User-Name is anonymized, and no Stripped-User-Name exists."); + RWDEBUG("It may be difficult or impossible to identify the user"); + RWDEBUG("Please update Stripped-User-Name with information which identifies the user"); + } + rad_postauth(request); } -- 2.47.3