How can I change proxy based on username?

Olivier Beytrison olivier at heliosnet.org
Tue Mar 26 14:08:11 CET 2013


On 26.03.2013 13:50, John Horne wrote:
> Hello,
> 
> Using Freeradius 2.1.10 I have been trying to see if I can proxy a
> request to a remote server but using a different User-Name attribute
> based on the original request User-Name attribute.
> 
> For example so that:
> Request 'j.bloggs at plymouth.ac.uk' gets proxied to remote server with
> User-Name="j.bloggs at plymouth.ac.uk" in the proxy request.
> Request 'jbloggs at plymouth.ac.uk' gets proxied to the same remote server
> but uses the User-Name="jbloggs" attribute (so no realm) in the proxy
> request.
> 
> So basically if a username contains a dot, then proxy on the whole thing
> (username and realm). But if the username does not contain a dot, then
> only proxy on the username, no realm.
> 
> I have been trying in the authorize section to use:
> 
> =========================
>     if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) {
>             if (User-Name =~ /^([^.]+)@/) {
>                     update control {
>                             Proxy-To-Realm := NULL
>                     }
>             }
>     }
> =========================
> 
> The NULL realm will 'strip' the username, and proxy the request to the
> remote server. However, testing shows that the User-Name being sent is
> the original one still with the realm:

If the NULL realm is set to strip, then the stripped user name will be
stored in the attribute "Stripped-User-Name". User-Name will remain
untouched.

After your update control, you can do :
update request {
	User-Name := %{Stripped-User-Name:-%{User-Name}}
}

You could also use the preproxy_users which allow you to rewrite the
request before it is proxied. It contains the exact example for your case.

Olivier
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org


More information about the Freeradius-Users mailing list