Applying the same rule to multiple values in an attribute/config value

Alex Perez-Mendez Alex.Perez-Mendez at jisc.ac.uk
Thu Feb 14 21:17:50 CET 2019


Hi Alan,

a further question has come to my mind when configuring this "bangpath" 
realm.
When the conditions are met and it is executed, it provides a value to 
&Request:Realm, so "suffix" results in "noop" and, hence, it Rejects the 
authentication because in our "sites-enabled/abfab-tr-idp" file we have 
the following:
     suffix {
             updated = 1
             noop = reject
     }

I'm not sure why this was set here. I guess because we wanted that if no 
realm was resolved using the Trust Router, it should fail right away 
(I'm not sure that's necessarily true, though, as I guess it will 
eventually fail nonetheless as it will try to authenticate a local user 
that does not exist).

But now we have two different resolvers instead of just one. Would it 
have any security implications if I removed the "noop" line? If I do 
that it works.
If that's not desirable, would it be acceptable to make the check that 
if &request:Realm is set, then circumvent the suffix module?

Best regards,
Alex

El 13/2/19 a las 14:40, Stefan Paetow escribió:
> Alrighty then.
>
> We'll have a pull request coming at you sometime in the near future.
>
> :-)
>
> Stefan Paetow
> Consultant, Trust and Identity
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>   
>
> On 13/02/2019, 14:17, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:
>
>      On Feb 12, 2019, at 6:26 PM, Stefan Paetow <Stefan.Paetow at JISC.AC.UK> wrote:
>      > Also, I also figured out how to resolve the other problem. Instead of looping, I do this:
>      
>        That looks good.
>      
>      > The only thing where I and someone else diverge on is that I've defined two strings because I don't accidentally want to trample all over any potentially-defined Tmp-String-* attributes. What say you? Better this way, or Tmp-String-* be damned?
>      
>        Better to use well-known and named attributes for one purpose.  We can always add these attributes to the internal dictionary.
>      
>        Alan DeKok.
>      
>      
>      -
>      List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk




More information about the Freeradius-Users mailing list