On Tue, Feb 21, 2017 at 02:11:05PM +0900, YASUOKA Masahiko wrote: > Hi, > > On Mon, 20 Feb 2017 11:38:19 +0100 > Patrick Wildt <patr...@blueri.se> wrote: > > when using RADIUS, the NT domains should not be stripped from the > > username. > > I suppose it depends on the use-case. > > npppd.conf(5) mentions "strip-nt-domain" is "yes" by default and > adding "strip-nt-domain no" in "authentication <NAME> type radius" > section of npppd.conf should be able to change that behavior. > > authentication RADIUS type radius { > strip-nt-domain no > authentication-server { > : > > Doesn't this help? > > > When a base object is instantiated based on an auth object, > > the "strip_nt_domain" variable is always enforced to zero in case of > > using RADIUS. The auth object itself though has it set to one by > > default. > > > > Now on configuration reload in npppd_auth_reload(), the value is copied > > from the corresponding auth object to the base object. > > > > base->strip_nt_domain = auth->strip_nt_domain; > > > > Unfortunately in the case of RADIUS, this means that the RADIUS base > > object gets overridden. So in that case reset it to zero like it's > > done in npppd_auth_create(). > > Thank you for pointing this out. > > Code in npppd_auth.c seems to be misleading. I'd like to make it > clear that the default values always come from the configuration like > below. > > diff --git a/usr.sbin/npppd/npppd/npppd_auth.c > b/usr.sbin/npppd/npppd/npppd_auth.c > index 101f8cc..11943c2 100644 > --- a/usr.sbin/npppd/npppd/npppd_auth.c > +++ b/usr.sbin/npppd/npppd/npppd_auth.c > @@ -75,8 +75,6 @@ npppd_auth_create(int auth_type, const char *name, void > *_npppd) > case NPPPD_AUTH_TYPE_LOCAL: > if ((base = calloc(1, sizeof(npppd_auth_local))) != NULL) { > base->type = NPPPD_AUTH_TYPE_LOCAL; > - base->strip_nt_domain = 1; > - base->strip_atmark_realm = 0; > strlcpy(base->name, name, sizeof(base->name)); > base->npppd = _npppd; > > @@ -89,7 +87,6 @@ npppd_auth_create(int auth_type, const char *name, void > *_npppd) > if ((base = calloc(1, sizeof(npppd_auth_radius))) != NULL) { > npppd_auth_radius *_this = (npppd_auth_radius *)base; > base->type = NPPPD_AUTH_TYPE_RADIUS; > - base->strip_nt_domain = 0; > strlcpy(base->name, name, sizeof(base->name)); > base->npppd = _npppd; > if ((_this->rad_auth_setting = > >
I like consistency, so this is better. While there, please adjust the manpage, since it is wrong about strip-nt-domain's default value. ok patrick@ diff --git a/usr.sbin/npppd/npppd/npppd.conf.5 b/usr.sbin/npppd/npppd/npppd.conf.5 index aef090ea45b..cdfb8331a97 100644 --- a/usr.sbin/npppd/npppd/npppd.conf.5 +++ b/usr.sbin/npppd/npppd/npppd.conf.5 @@ -569,7 +569,7 @@ removes the NT domain prefix, such as '\e\eNTDOMAIN\e', from the username before contacting the authentication server. The default is -.Dq no . +.Dq yes . .It Ic strip-atmark-realm Ar yes | no Specify whether .Xr npppd 8