On 25/07/13 10:43, stefan.pae...@diamond.ac.uk wrote:
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that after v2.1.9,
"%{Realm}" would contain "DEFAULT", not whatever the realm extracted from
User-Name was, when used in logging... Hence my question.
Of course, if this is no longer an issue, then I'll happily amend our instructions to
leave the DEFAULT realm as-is. Also, when I wrote "DEFAULT {}", it was a
shortening (for the sake of brevity) of:
realm DEFAULT {
authhost = blah
etc etc etc
}
I was just trying to save some lines and extraneous text here.
IMHO you're much better off avoiding the "realm" module, and handling
the processing yourself in unlang, particularly if you're using doing an
eduroam or other federation. This lets "Realm" and "Proxy-To-Realm" be
different values, and for extended checking to be done on the realm value.
We do something like this:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{toupper:%{2}}"
}
if ((Realm == "MY.REALM1") || (Realm == "MY.REALM2")) {
update control {
Proxy-To-Realm := "MYREALM"
}
}
elsif (Realm !~ /^([-A-Z0-9]+\.)+[-A-Z0-9]+/) {
# invalid realm format
reject
}
else {
update control {
Proxy-To-Realm := "EDUROAM"
}
}
}
else {
reject
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
