58914 – FreeRADIUS machine account rewrite forces lowercase and breaks LDAP hostname matching

Bug 58914 - FreeRADIUS machine account rewrite forces lowercase and breaks LDAP hostname matching

Summary: FreeRADIUS machine account rewrite forces lowercase and breaks LDAP hostname ...

Status:	NEW

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Radius
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-12-19 17:06 CET by Mirac Erdemiroglu
Modified:	2026-01-05 15:00 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2025121821000117
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mirac Erdemiroglu

2025-12-19 17:06:51 CET

**Summary:**
Preserve original hostname casing during machine account rewrite in FreeRADIUS (avoid forced lowercase)

**Description:**
When processing machine accounts, FreeRADIUS currently rewrites the `User-Name` to lowercase. This behavior causes issues in environments where the hostname casing is significant.

Example:
A Windows machine account `NB07304$` is rewritten to `nb07304$`. During a TLS-based authentication, this lowercase value is used for subsequent LDAP lookups. Because the LDAP directory stores the hostname in uppercase, the lookup for group membership (e.g., group containing VLAN assignments) fails.

The root cause appears to be the use of `tolower` in the rewrite condition within `default`:

```
File: /etc/freeradius/3.0/sites-available/default
Line: 903

902   # Rewrite username if it is a machine account. The krb5PrincipalName is passed as User-Name in the request in this case.
903       if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.miro.intranet/) {
```

The enforced lowercase transformation is performed before extracting the hostname, which results in a modified `uid` that does not match LDAP entries relying on original casing.

**Findings / Investigation:**

* The behavior originates from `tolower` in the IF condition.
* It appears to be used to normalize Windows machine accounts.
* However, in environments where hostnames must match LDAP attributes exactly—including casing—this rewrite breaks group lookup logic.

**Workaround:**
A possible workaround is to use a case-insensitive regex while preserving the original captured group. Example:

```
if ("%{request:User-Name}" =~ /(?i)^host\/(.*)\.miro.intranet/) {
    update request {
        User-Name := "%{1}$"
    }
}
```

This preserves the original casing via `%{1}` while ensuring tolerant case-insensitive matching.

**Requested enhancement:**
Introduce an option or modify the default logic so that FreeRADIUS does **not forcibly lowercase the machine account name**, or provide a configurable setting to preserve original casing when rewriting `User-Name`.

This would ensure compatibility with LDAP environments that depend on case-sensitive hostnames for group membership, VLAN assignment, or policy lookup.

**Environment:**

* FreeRADIUS 3.0 (default site configuration)
* Windows machine accounts using `host/…` identities
* LDAP directory enforcing case-sensitive hostnames