Re: 2.0.0 documentation for radiusd.conf.

Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> · Wed, 13 Jun 2007 17:05:39 +0100

Control instead of config ?

  Yes.  "config" is already used for configuration-file stuff.

Both appear to work and do the same thing when updating things...

Ok,

It appears that either update request is broken,
or something else weird is happening.

if(("%{User-Name}" =~ /([^-]+)-emergency-/) || ("%{User-Name}" =~ 

/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)) {

        if(("%{2}" == "") || ("%{2}" == "sussex.ac.uk")){
                update request {
                        Stripped-User-Name := "%{1}"
                        Realm := "local"
                }
        }
        else{
                update request {
                        Stripped-User-Name := "%{0}"
                        Realm = "%{2}"
                }
        }
}

That sorts out username formating, means you can use 

ntdomain\user@domain, and things will still work *sigh* (never 

underestimate the stupidity of yours users).

It basically says if user has no realm or has specified sussex as their 

realm, update the request, set stripped-user-name to be their username 

and set Realm to be "local".

else set their username as the entire User-Name string and set the 

request realm to be their specified Realm.

Later in the config file theres:

# PROXYING LOGIC

# Eventually if we ever need to proxy to multiple locations we can do 

checks here, but for now assume all non local realms go through JRS

if("%{request:Realm}" != "local"){
        update control {
                Proxy-To-Realm := "jrs"
        }
        update request {
                Realm := "jrs"
        }
}

So if the realm is not local then proxy to realm jrs (this is why I was 

waiting for the switch statement :) )

++? if (("%{User-Name}" =~ /([^-]+)-emergency-/) || ("%{User-Name}" =~ 

/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/))

        expand: %{User-Name} -> ac221
?? Evaluating ("%{User-Name}" =~ /([^-]+)-emergency-/) -> FALSE
        expand: %{User-Name} -> ac221

?? Evaluating ("%{User-Name}" =~ 

/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) -> TRUE

++? if (("%{User-Name}" =~ /([^-]+)-emergency-/) || ("%{User-Name}" =~ 

/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)) -> TRUE

++- entering if (("%{User-Name}" =~ /([^-]+)-emergency-/) || 

("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/))

+++? if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk"))
        expand: %{2} ->
?? Evaluating ("%{2}" == "") -> TRUE
?? Skipping ("%{2}" == "sussex.ac.uk")
+++? if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk")) -> TRUE
+++- entering if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk"))
        expand: %{1} -> ac221
++++[request] returns updated
+++- if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk")) returns updated
+++ ... skipping else for request 0: Preceding "if" was taken

++- if (("%{User-Name}" =~ /([^-]+)-emergency-/) || ("%{User-Name}" =~ 

/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)) returns updated

++? if ("%{request:Realm}" != "local")
        expand: %{request:Realm} ->
? Evaluating ("%{request:Realm}" != "local") -> TRUE
++? if ("%{request:Realm}" != "local") -> TRUE
++- entering if ("%{request:Realm}" != "local")
+++[control] returns updated

See brokeness:

?? Evaluating ("%{2}" == "") -> TRUE
?? Skipping ("%{2}" == "sussex.ac.uk")
+++? if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk")) -> TRUE
+++- entering if (("%{2}" == "") || ("%{2}" == "sussex.ac.uk"))
        expand: %{1} -> ac221
++++[request] returns updated

Stripped-User-Name set to ac221
and i'm guessing Realm set to local...

but then:

++? if ("%{request:Realm}" != "local")
        expand: %{request:Realm} ->

No local ?!
--
Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900