Re: Expanding Suffix or Realm attributes
Rob Turner wrote: > The regex realm would work if I could use the Suffix or Realm attribute from > something like the check or control list rather than "~.\2a\5c.\2a\5c.\2a$" This was fixed in 2.1.9. See the changelog on www.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
- Original Message - > From: "Rob Turner" > To: freeradius-users@lists.freeradius.org > Sent: Tuesday, June 29, 2010 9:55:57 PM > Subject: Expanding Suffix or Realm attributes > Problem: Cannot expand %{Realm} or %{Suffix} control attributes for > use unless realm is explicitly defined in proxy.conf > > I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to > perform an ldap dip to get the radiusProxyToRealm attribute for each > request based on Suffix as configured in modules/ldap: > > filter = "(radiusRealm=%{Suffix})" > > NOTE: If using in modules/ldap, > radiusProxyToRealm is returned successfully and things work as > expected. In this case the Proxy-To-Realm (which is mapped in > ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in > proxy.conf. > > Output from radiusd -X: > ... [suffix] Looking up realm "domain.com" for User-Name = > "t...@domain.com" [suffix] No such realm "domain.com" > ++[suffix] returns noop > ++[files] returns noop > [ldap] performing user authorization for t...@domain.com > [ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=) > ... > > After reading man unlang, I have also attempted (without success) to > expand using the following in ldap filter: > > %{control:Realm} > %{control:Suffix} %{suffix:User-Name} > %{realm:User-Name} > > Finally, after revisiting man rlm_realm, I read the following which is > of concern as I don't see any other way to utilize the > radiusProxyToRealm attribute in ldap: > > "In either case, a Realm attribute is created and added to the packet > on a match, which can be used by other modules." > > Is there currently anyway to always match (regardless if the realm is > defined in proxy.conf) in order to create a Stripped-User-Name and > Realm run-time variable with every request? > > Regards, > > Rob > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Also, I've tried to use a regex realm such as realm "~.*\\.*\\.*$" { ignore_default = yes nostrip } Output from radiusd -X: ... [suffix] Looking up realm "domain.com" for User-Name = "t...@domain.com" [suffix] Found realm "~.*\.*\.*$" [suffix] Adding Realm = "~.*\.*\.*$" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[files] returns noop [ldap] performing user authorization for t...@domain.com [ldap] expand: (radiusRealm=%{Realm}) -> (radiusRealm=~.\2a\5c.\2a\5c.\2a$) ... The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than "~.\2a\5c.\2a\5c.\2a$" Thanks, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
Hi, You can add the below in the hints file DEFAULT User-Name =~ "^([...@]+)@([[:alnum:].\-_]*)$" Stripped-User-Name = "%{1}", Suffix = "%{2}" Regards, Sajeewa Warnakulasuriya Systems Development Manager ispONE is a wholesale ISP built to help internet access resellers and independent ISPs to compete in the Australian marketplace through ONE Brand, ONE Provider, ONE Solution. Level 14 520 Collins Street Melbourne 3000 VIC Phone: 1300 663 400 Fax: 1300 665 400 E-Mail: sajee...@ispone.com.au Web:http://www.ispone.com.au/ On Tue, 29 Jun 2010, Rob Turner wrote: Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless realm is explicitly defined in proxy.conf I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an ldap dip to get the radiusProxyToRealm attribute for each request based on Suffix as configured in modules/ldap: filter = "(radiusRealm=%{Suffix})" NOTE: If using in modules/ldap, radiusProxyToRealm is returned successfully and things work as expected. In this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in proxy.conf. Output from radiusd -X: ... [suffix] Looking up realm "domain.com" for User-Name = "t...@domain.com" [suffix] No such realm "domain.com" ++[suffix] returns noop ++[files] returns noop [ldap] performing user authorization for t...@domain.com [ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=) ... After reading man unlang, I have also attempted (without success) to expand using the following in ldap filter: %{control:Realm} %{control:Suffix} %{suffix:User-Name} %{realm:User-Name} Finally, after revisiting man rlm_realm, I read the following which is of concern as I don't see any other way to utilize the radiusProxyToRealm attribute in ldap: "In either case, a Realm attribute is created and added to the packet on a match, which can be used by other modules." Is there currently anyway to always match (regardless if the realm is defined in proxy.conf) in order to create a Stripped-User-Name and Realm run-time variable with every request? Regards, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expanding Suffix or Realm attributes
Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless realm is explicitly defined in proxy.conf I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an ldap dip to get the radiusProxyToRealm attribute for each request based on Suffix as configured in modules/ldap: filter = "(radiusRealm=%{Suffix})" NOTE: If using in modules/ldap, radiusProxyToRealm is returned successfully and things work as expected. In this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in proxy.conf. Output from radiusd -X: ... [suffix] Looking up realm "domain.com" for User-Name = "t...@domain.com" [suffix] No such realm "domain.com" ++[suffix] returns noop ++[files] returns noop [ldap] performing user authorization for t...@domain.com [ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=) ... After reading man unlang, I have also attempted (without success) to expand using the following in ldap filter: %{control:Realm} %{control:Suffix} %{suffix:User-Name} %{realm:User-Name} Finally, after revisiting man rlm_realm, I read the following which is of concern as I don't see any other way to utilize the radiusProxyToRealm attribute in ldap: "In either case, a Realm attribute is created and added to the packet on a match, which can be used by other modules." Is there currently anyway to always match (regardless if the realm is defined in proxy.conf) in order to create a Stripped-User-Name and Realm run-time variable with every request? Regards, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html