Re: Expanding Suffix or Realm attributes
Rob Turner wrote: The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than ~.\2a\5c.\2a\5c.\2a$ This was fixed in 2.1.9. See the changelog on www.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expanding Suffix or Realm attributes
Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless
realm is explicitly defined in proxy.conf
I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an
ldap dip to get the radiusProxyToRealm attribute for each request based on
Suffix as configured in modules/ldap:
filter = (radiusRealm=%{Suffix})
NOTE: If using filter = (radiusRealm=domain.com) in modules/ldap,
radiusProxyToRealm is returned successfully and things work as expected. In
this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap
to proxy.com and proxy.com is defined in proxy.conf.
Output from radiusd -X:
...
[suffix] Looking up realm domain.com for User-Name = t...@domain.com
[suffix] No such realm domain.com
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for t...@domain.com
[ldap] expand: (radiusRealm=%{Suffix}) - (radiusRealm=)
...
After reading man unlang, I have also attempted (without success) to expand
using the following in ldap filter:
%{control:Realm}
%{control:Suffix}
%{suffix:User-Name}
%{realm:User-Name}
Finally, after revisiting man rlm_realm, I read the following which is of
concern as I don't see any other way to utilize the radiusProxyToRealm
attribute in ldap:
In either case, a Realm attribute is created and added to the packet on a
match, which can be used by other modules.
Is there currently anyway to always match (regardless if the realm is defined
in proxy.conf) in order to create a Stripped-User-Name and Realm run-time
variable with every request?
Regards,
Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
Hi,
You can add the below in the hints file
DEFAULT User-Name =~ ^([...@]+)@([[:alnum:].\-_]*)$
Stripped-User-Name = %{1},
Suffix = %{2}
Regards,
Sajeewa Warnakulasuriya
Systems Development Manager
ispONE is a wholesale ISP built to help internet access resellers and
independent ISPs to compete in the Australian marketplace through
ONE Brand, ONE Provider, ONE Solution.
Level 14
520 Collins Street
Melbourne 3000 VIC
Phone: 1300 663 400
Fax: 1300 665 400
E-Mail: sajee...@ispone.com.au
Web:http://www.ispone.com.au/
On Tue, 29 Jun 2010, Rob Turner wrote:
Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless
realm is explicitly defined in proxy.conf
I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an
ldap dip to get the radiusProxyToRealm attribute for each request based on
Suffix as configured in modules/ldap:
filter = (radiusRealm=%{Suffix})
NOTE: If using filter = (radiusRealm=domain.com) in modules/ldap,
radiusProxyToRealm is returned successfully and things work as expected. In this case the
Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap to proxy.com and proxy.com is
defined in proxy.conf.
Output from radiusd -X:
...
[suffix] Looking up realm domain.com for User-Name = t...@domain.com
[suffix] No such realm domain.com
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for t...@domain.com
[ldap] expand: (radiusRealm=%{Suffix}) - (radiusRealm=)
...
After reading man unlang, I have also attempted (without success) to expand
using the following in ldap filter:
%{control:Realm}
%{control:Suffix}
%{suffix:User-Name}
%{realm:User-Name}
Finally, after revisiting man rlm_realm, I read the following which is of
concern as I don't see any other way to utilize the radiusProxyToRealm
attribute in ldap:
In either case, a Realm attribute is created and added to the packet on a match,
which can be used by other modules.
Is there currently anyway to always match (regardless if the realm is defined
in proxy.conf) in order to create a Stripped-User-Name and Realm run-time
variable with every request?
Regards,
Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
- Original Message -
From: Rob Turner r...@crosscut.org
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, June 29, 2010 9:55:57 PM
Subject: Expanding Suffix or Realm attributes
Problem: Cannot expand %{Realm} or %{Suffix} control attributes for
use unless realm is explicitly defined in proxy.conf
I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to
perform an ldap dip to get the radiusProxyToRealm attribute for each
request based on Suffix as configured in modules/ldap:
filter = (radiusRealm=%{Suffix})
NOTE: If using filter = (radiusRealm=domain.com) in modules/ldap,
radiusProxyToRealm is returned successfully and things work as
expected. In this case the Proxy-To-Realm (which is mapped in
ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in
proxy.conf.
Output from radiusd -X:
... [suffix] Looking up realm domain.com for User-Name =
t...@domain.com [suffix] No such realm domain.com
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for t...@domain.com
[ldap] expand: (radiusRealm=%{Suffix}) - (radiusRealm=)
...
After reading man unlang, I have also attempted (without success) to
expand using the following in ldap filter:
%{control:Realm}
%{control:Suffix} %{suffix:User-Name}
%{realm:User-Name}
Finally, after revisiting man rlm_realm, I read the following which is
of concern as I don't see any other way to utilize the
radiusProxyToRealm attribute in ldap:
In either case, a Realm attribute is created and added to the packet
on a match, which can be used by other modules.
Is there currently anyway to always match (regardless if the realm is
defined in proxy.conf) in order to create a Stripped-User-Name and
Realm run-time variable with every request?
Regards,
Rob
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Also, I've tried to use a regex realm such as
realm ~.*\\.*\\.*$ {
ignore_default = yes
nostrip
}
Output from radiusd -X:
...
[suffix] Looking up realm domain.com for User-Name = t...@domain.com
[suffix] Found realm ~.*\.*\.*$
[suffix] Adding Realm = ~.*\.*\.*$
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
[ldap] performing user authorization for t...@domain.com
[ldap] expand: (radiusRealm=%{Realm}) - (radiusRealm=~.\2a\5c.\2a\5c.\2a$)
...
The regex realm would work if I could use the Suffix or Realm attribute from
something like the check or control list rather than ~.\2a\5c.\2a\5c.\2a$
Thanks,
Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
