Cleaning up the "realms"

Chris Parker cparker at starnetusa.net
Tue Mar 27 15:57:32 CEST 2007 

On Mar 27, 2007, at 4:20 AM, Alan DeKok wrote:

>   I'm getting close to being able to commit some of the massive  
> changes
> I've been talking about.  No "magic" features yet, but the code is  
> much
> better.
>
>   However... as part of the changes, I think I've got to clean up the
> handling of realms.  With a bit more work, I think I can make the
> old-style "realms" configurations map to the new method when the  
> server
> starts up.

That would be good.  :)

>   The more complicated piece is the "realms" module.  The whole
> "ignore_null" and "ignore_default" configuration is wrong.  It can
> probably be done via the new "if/then/else" in the authorize section.
>
>   I'll see if I can figure out a decent way of getting that to work.
>
>   I'd also like to move the rlm_realm configs prefix/suffix &&
> "delimiter" to the individual "realms" section in proxy.conf, but that
> might break things.

Hmm, the reason it's in the module/instance config now is that it made
more sense to me to define the 'delimiter' as that's easier/faster to  
search
for.  If you define the delimiter in the realm/proxy.conf section,  
how does the
realm search logic work?

I could see a realm option added to define what type of realm each  
should be.

IE, you could then have a separate config for a prefix and suffix  
realm of the
same name ( as much as that might be confusing ).  It could also  
reduce the scope
of the number of realms that have to searched for a match.

radiusd.conf:

realm suffix {
         format = suffix
         delimiter = "@"
}

realm prefix {
         format = prefix
         delimiter = "/"
}

Then in proxy.conf:

realm foo.com {
         type = radius
         instance = suffix
         authhost = LOCAL
         accthost = LOCAL
}

realm bar {
         type = radius
         instance = prefix
         authhost = LOCAL
         accthost = LOCAL
}

Then, you would find a match for 'user at foo.com' but not 'foo.com/ 
user', and you
would find a match for 'bar/user' but not 'user at bar'.  I think that  
could be
a useful feature.

-Chris
--
Chris Parker
Director, Systems
StarNet - US LEC, now a PAETEC Company

(888)212-0099   Fax (847)963-1302
Wholesale Internet and VoIP Services     http://www.megapop.net

NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain  
information that is privileged, proprietary or confidential.

More information about the Freeradius-Devel mailing list