On 03/25/2011 10:09 PM, Robert Roll wrote:
If you just want to split username@realm into username and realm, you
should be able to use this in authorize section
if ("%{request:User-Name}" =~ /^(.*)@/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{2}"
}
}
Yes, thanks, and we may end up doing exactly that. However, I just
point out that freeradius OBVIOUSLY already has the capability to do
exactly this, so why re-invent the wheel ?
In fact, if you're just using variations of the username to signal
different intent (an interesting idea in the context of vlan
assignment), then you're actually doing something similar to old-style
"hints" - the "hints" file that comes with the server has examples.
You can certainly use the "realm" module for this, and we used to do
just that - but I've recently been convinced of the superiority of
unlang, because you have a lot more control over the behaviour
If you're bothered by unlang making your radius policy too unwieldy, you
can make use of "policy.conf" to write a virtual "module" e.g.:
policy.conf:
policy {
optional_realm {
if (User-Name =~ /(.+)@(.+)/) {
update request {
Stripped-User-Name := "%{1}"
Realm = "%{toupper:%{2}}"
}
updated
}
else {
notfound
}
}
}
sites-enabled/XXX:
authorize {
optional_realm
if (updated) {
update reply {
Vlan := "%{ldap:... %{Realm} ...}"
}
}
}
As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.
--
Fajar
Yes, I do agree... As I said earlier, some of what I am doing is just to
try and experiment and see what is possible. I'm actually quite impressed
with Freeradius and right now, we are still a ways from what I would consider
any kind of final configuration...
In which case it's definitely worth trying the unlang approach, just to
get familiar with the differences.
You can also of course do actual proxying, either to remote servers or
other local virtual servers; just update the stuff above to also do:
update control {
Proxy-To-Realm := "..."
}
This is an area where unlang is superior - you might want the "realm"
and "proxy-to-realm" to be completely different and related in ways
non-obvious, and impossible to express in proxy.conf (e.g. via an SQL
lookup)
[1] Different for regexp realms, of course.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
