Expanding Suffix or Realm attributes

Rob Turner rob at crosscut.org
Wed Jun 30 05:40:24 CEST 2010 


----- Original Message -----
> From: "Rob Turner" <rob at crosscut.org>
> To: freeradius-users at lists.freeradius.org
> Sent: Tuesday, June 29, 2010 9:55:57 PM
> Subject: Expanding Suffix or Realm attributes

> Problem: Cannot expand %{Realm} or %{Suffix} control attributes for
> use unless realm is explicitly defined in proxy.conf
> 
> I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to
> perform an ldap dip to get the radiusProxyToRealm attribute for each
> request based on Suffix as configured in modules/ldap:
> 
> filter = "(radiusRealm=%{Suffix})"
> 
> NOTE: If using <filter = "(radiusRealm=domain.com)"> in modules/ldap,
> radiusProxyToRealm is returned successfully and things work as
> expected. In this case the Proxy-To-Realm (which is mapped in
> ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in
> proxy.conf.
> 
> Output from radiusd -X:
> ... [suffix] Looking up realm "domain.com" for User-Name =
> "test at domain.com" [suffix] No such realm "domain.com"
> ++[suffix] returns noop
> ++[files] returns noop
> [ldap] performing user authorization for test at domain.com
> [ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=)
> ...
> 
> After reading man unlang, I have also attempted (without success) to
> expand using the following in ldap filter:
> 
> %{control:Realm}
> %{control:Suffix} %{suffix:User-Name}
> %{realm:User-Name}
> 
> Finally, after revisiting man rlm_realm, I read the following which is
> of concern as I don't see any other way to utilize the
> radiusProxyToRealm attribute in ldap:
> 
> "In either case, a Realm attribute is created and added to the packet
> on a match, which can be used by other modules."
> 
> Is there currently anyway to always match (regardless if the realm is
> defined in proxy.conf) in order to create a Stripped-User-Name and
> Realm run-time variable with every request?
> 
> Regards,
> 
> Rob
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Also, I've tried to use a regex realm such as 

realm "~.*\\.*\\.*$" {
        ignore_default = yes
        nostrip
}


Output from radiusd -X:
...
[suffix] Looking up realm "domain.com" for User-Name = "test at domain.com"
[suffix] Found realm "~.*\.*\.*$"
[suffix] Adding Realm = "~.*\.*\.*$"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
[ldap] performing user authorization for test at domain.com
[ldap]  expand: (radiusRealm=%{Realm}) -> (radiusRealm=~.\2a\5c.\2a\5c.\2a$)
...

The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than "~.\2a\5c.\2a\5c.\2a$"

Thanks,

Rob

More information about the Freeradius-Users mailing list