rlm_realm module, Realm attr value

Martin Stanislav ms at uakom.sk
Tue Jan 25 14:50:45 CET 2011


On Tue, Jan 25, 2011 at 01:52:21PM +0100, Alan DeKok wrote:
> The named realms are used by the "realms" module to find a matching name.
> 
> > Looks like up until 2.1.8, the AVP Realm was always created with
> > Realm-the-character-string as it came from the request, but with 2.1.9,
> > this changed to Realm-the-instance-name.
> 
>   Hmm... I think it's the other way around.  In 2.1.9, a regex realm
> results in "Realm = match", instead of "Realm = regex".

Correct. 

> > Problem is, both of these can be valuable somehow, and need to be
> > addressable. In a rlm_linelog, I care about logging the actual input; at
> > other places, I may want to check which path the packet will take.
> > 
> > In short, I think there should be two attributes: one to contain the
> > instance name, one with the string. Using unlang is of course possible,
> > but clumsy - it worked without before.
> 
>   There's utility creating two attributes, I think.

CPU cycles are burned within the rlm_realm to extract both, 
the realm as entered by the user and the matched proxy.conf 
realm entry.  The Proxy-To-Realm attribute holds the latter
value (realm_authorize & realm_preacct function calls). 
The Realm attribute is set to the same value except holding 
a regex.  It's set to the former value in such a case. 

In other words, "DEFAULT" proxy.conf entry is the only case, 
when the Realm attribute doesn't exactly match (string, case 
insensitive) the realm as entered by the user.  

Martin




More information about the Freeradius-Users mailing list