On 26.03.2013 13:50, John Horne wrote:
> Hello,
>
> Using Freeradius 2.1.10 I have been trying to see if I can proxy a
> request to a remote server but using a different User-Name attribute
> based on the original request User-Name attribute.
>
> For example so that:
> Request 'j.blo...@plymouth.ac.uk' gets proxied to remote server with
> User-Name="j.blo...@plymouth.ac.uk" in the proxy request.
> Request 'jblo...@plymouth.ac.uk' gets proxied to the same remote server
> but uses the User-Name="jbloggs" attribute (so no realm) in the proxy
> request.
>
> So basically if a username contains a dot, then proxy on the whole thing
> (username and realm). But if the username does not contain a dot, then
> only proxy on the username, no realm.
>
> I have been trying in the authorize section to use:
>
> =========================
> if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) {
> if (User-Name =~ /^([^.]+)@/) {
> update control {
> Proxy-To-Realm := NULL
> }
> }
> }
> =========================
>
> The NULL realm will 'strip' the username, and proxy the request to the
> remote server. However, testing shows that the User-Name being sent is
> the original one still with the realm:
If the NULL realm is set to strip, then the stripped user name will be
stored in the attribute "Stripped-User-Name". User-Name will remain
untouched.
After your update control, you can do :
update request {
User-Name := %{Stripped-User-Name:-%{User-Name}}
}
You could also use the preproxy_users which allow you to rewrite the
request before it is proxied. It contains the exact example for your case.
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
