LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4

[Arran Cudbard-Bell]

Hi,

Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP 
module fails lookups because it claims it can't find the User-Name 
attribute....

 PEAP: Got tunneled EAP-Message
   EAP-Message = 
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5
 PEAP: Setting User-Name to [EMAIL PROTECTED]
 PEAP: Sending tunneled request
   EAP-Message = 
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c200000000000000000949c9809c8a97e6c717a5
   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "[EMAIL PROTECTED]"
   State = 0xc771177ac78f0d80e7ad35c717d8d32f
   Framed-MTU = 1480
   NAS-IP-Address = 139.184.6.156
   NAS-Identifier = "hp-e-falm-g-77-sw1"
   Service-Type = Framed-User
   Framed-Protocol = PPP
   NAS-Port = 1
   NAS-Port-Type = Ethernet
   NAS-Port-Id = "1"
   Called-Station-Id = "001c2ec47180"
   Calling-Station-Id = "001b63a3a8dd"
   Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "1"
server default-inner {
+- entering group authorize
   expand: %{outer.request:Realm} -> local
   expand: %{outer.request:NAS-Flags} -> 010010110000000
   expand: %{outer.request:SS-Flags} -> 0000000000
   expand: %{outer.request:Supplicant-Flags} -> 0001000000
   expand: %{outer.request:Called-Station-SSID} ->
++[request] returns notfound
++? if ("%{User-Name}")
   expand: %{User-Name} -> [EMAIL PROTECTED]
? Evaluating ("%{User-Name}") -> TRUE
++? if ("%{User-Name}") -> TRUE
++- entering if ("%{User-Name}")
+++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
   expand: %{User-Name} -> [EMAIL PROTECTED]
? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> 
TRUE
+++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE
+++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
   expand: %{1} -> ac221
++++[request] returns notfound
   expand: %{3} -> sussex.ac.uk
   expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk
++++[request] returns notfound
+++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns 
notfound
+++ ... skipping else for request 5: Preceding "if" was taken
++- if ("%{User-Name}") returns notfound
rlm_ldap: - authorize
rlm_ldap: Attribute "User-Name" is required for authorization.
++[ldap] returns noop

Relevant filter line in LDAP is :

filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

Why is there now a static requirement for the User-Name attribute to be present 
anyway? Especially when the filter is defined in the config...
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html