On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll <robert.r...@utah.edu> wrote:
> A normal authorize might look like:
>
>
> ldapAuthUser
>
> if( %Realm ) {
> ldapAuthVLAN
> }
>
> If one is smart about naming the Group in ldap the same as the Realm,
> then one can quite easily construct a search filter in the ldap module to
> look at the appropriate group in ldap. That group would actually have the
> particular radiusReplyItem to return the correct VLAN...
>
> Note that in the above the Realm is quite useful, but there is NO need to
> actually do proxy, so really no "REAL" need to get into the proxy.conf ?
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if ("%{request:User-Name}" =~ /^(.*)@/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{2}"
}
}
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
