On Sat, Jun 02, 2012 at 10:34:25PM +0100, alan buxey wrote:
cheers - some peoples styles differ. I will test/verify the other operation. I'm also keen on those who can supply combined REGEX foo - such as making a single check for e.g. begins with . or ends with . (or would people prefer each rule to be seperate so that locally they could easily just comment out a rule that wouldnt apply to them?)
I think your ruleset is more or less equivalent to: User-Name =~ /^[^@]*$| |@.*@|\\.\\.|@[^.]*$|\\.$|@\\./ --> invalid But I don't really see the point. Why not simply proxy it to the authoritative server, and let that server reply that it's invalid? Why distribute policy about which realms may (or may not) be valid all over the place? Such policy, if it is ever wrong, is likely to lead to difficult-to-debug problems. For an example of how this breaks things, look at all those websites which validate domains to only .com, .net, .org and so on. Now that hundreds of new TLDs are coming along, those sites will all erroneously reject perfectly valid domains. The DNS is a database, so you may as well just query it, and get the additional benefit of rejecting specific non-existent domains. The same argument applies to RADIUS proxying IMO.