----- Original Message ----- > From: "Rob Turner" <r...@crosscut.org> > To: freeradius-users@lists.freeradius.org > Sent: Tuesday, June 29, 2010 9:55:57 PM > Subject: Expanding Suffix or Realm attributes
> Problem: Cannot expand %{Realm} or %{Suffix} control attributes for > use unless realm is explicitly defined in proxy.conf > > I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to > perform an ldap dip to get the radiusProxyToRealm attribute for each > request based on Suffix as configured in modules/ldap: > > filter = "(radiusRealm=%{Suffix})" > > NOTE: If using <filter = "(radiusRealm=domain.com)"> in modules/ldap, > radiusProxyToRealm is returned successfully and things work as > expected. In this case the Proxy-To-Realm (which is mapped in > ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in > proxy.conf. > > Output from radiusd -X: > ... [suffix] Looking up realm "domain.com" for User-Name = > "t...@domain.com" [suffix] No such realm "domain.com" > ++[suffix] returns noop > ++[files] returns noop > [ldap] performing user authorization for t...@domain.com > [ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=) > ... > > After reading man unlang, I have also attempted (without success) to > expand using the following in ldap filter: > > %{control:Realm} > %{control:Suffix} %{suffix:User-Name} > %{realm:User-Name} > > Finally, after revisiting man rlm_realm, I read the following which is > of concern as I don't see any other way to utilize the > radiusProxyToRealm attribute in ldap: > > "In either case, a Realm attribute is created and added to the packet > on a match, which can be used by other modules." > > Is there currently anyway to always match (regardless if the realm is > defined in proxy.conf) in order to create a Stripped-User-Name and > Realm run-time variable with every request? > > Regards, > > Rob > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Also, I've tried to use a regex realm such as realm "~.*\\.*\\.*$" { ignore_default = yes nostrip } Output from radiusd -X: ... [suffix] Looking up realm "domain.com" for User-Name = "t...@domain.com" [suffix] Found realm "~.*\.*\.*$" [suffix] Adding Realm = "~.*\.*\.*$" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[files] returns noop [ldap] performing user authorization for t...@domain.com [ldap] expand: (radiusRealm=%{Realm}) -> (radiusRealm=~.\2a\5c.\2a\5c.\2a$) ... The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than "~.\2a\5c.\2a\5c.\2a$" Thanks, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html