virtual domains as realms

Marko Dinic marko at yu.net
Fri Nov 11 14:35:28 CET 2005 

Hello,
I have the following setup on my system:

In LDAP i have:

  dc=mydomain,dc=com
  |    
  |---ou=Virtual Domains
  |    |
       |---dc=domain1.com     
       |    |
       |    |---uid=john
       |    |---uid=mike
       |    |---uid=peter
       |
       |---dc=domain2.com     
       |    |
       |    |---uid=john
       |    |---uid=mike
       |    |---uid=andrew
       |
       |---dc=domain3.com     
       |    |
       |    |---uid=mike
       |    |---uid=jack
       |    |---uid=joe
       |
      etc. 

These are virtual domains and accounts for some mail service and they
have to be arranged only in the above order. In addition to mail 
service, virtual users are supposed to have a dialup access, logging
in as

                username at virtualdomain.com

i.e.  john at domain1.com, john at domain2.com, mike at domain3.com and so on...

If I configure LDAP module like this:

        ldap ldap_vdomains {

                ... 

                basedn = "dc=%{Realm},ou=Virtual Domains,dc=eunet,dc=yu"
                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                base_filter = "(objectclass=posixAccount)"
                
                ...
        }

and add each of these virtual domains to proxy.conf as realms, it works
like a charm... However,

these domains and accounts are independently created in LDAP through
some web interface by our accounting officers in the sales department,
so proxy.conf is not updated every time the domain is added or modified.
Of course, it could be automatically updated by some script, but, still,
I don't like the idea of HUPing radius every time virtual domain is added,
removed or renamed. So, realm DEFAULT seems like an elegant solution, but,
when it produces a match for any of these virtual domains realms, it sets

                          Realm = DEFAULT

and LDAP search is done with

      basedn = "dc=DEFAULT,ou=Virtual Domains,dc=eunet,dc=yu"

Is there a way to make the DEFAULT realm preserve the original realm name
from the request and set it as the Realm attribute's value instead of 
"DEFAULT" ? If not, is there some other solution to this ? It could help
if I could at least set the DEFAULT realm not to strip the user name and
then use regexp to extract the realm name from %{User-Name} in basedn= line
in ldap module config, but I don't seem to find the working syntax for this.

Simply put, I need a way of using the realm part of the User-Name in ldap
module's configuration, while using only realm DEFAULT (or, perhaps, some
other catch-all entry, if availabe) in proxy.conf.

-- 
Best regards,

Marko Dinic, System Engineer
----- 
YUnet International  http://www.eunet.yu
Dubrovacka 35/III,   11000 Belgrade
Tel: +381 11 311 9901;  Fax: + 381 11 311 9901
-----
This  e-mail  is confidential and intended only for the recipient.
Unauthorized  distribution,  modification  or  disclosure  of  its
contents is prohibited. If you have received this e-mail in error,
please notify the sender by telephone  +381 11 311 9901.
-----

More information about the Freeradius-Users mailing list