On Mar 27, 2007, at 4:20 AM, Alan DeKok wrote:
I'm getting close to being able to commit some of the massive changes I've been talking about. No "magic" features yet, but the code is much better.
However... as part of the changes, I think I've got to clean up the handling of realms. With a bit more work, I think I can make the old-style "realms" configurations map to the new method when the server starts up.
That would be good. :)
The more complicated piece is the "realms" module. The whole "ignore_null" and "ignore_default" configuration is wrong. It can probably be done via the new "if/then/else" in the authorize section.
I'll see if I can figure out a decent way of getting that to work.
I'd also like to move the rlm_realm configs prefix/suffix && "delimiter" to the individual "realms" section in proxy.conf, but that might break things.
Hmm, the reason it's in the module/instance config now is that it made more sense to me to define the 'delimiter' as that's easier/faster to search for. If you define the delimiter in the realm/proxy.conf section, how does the realm search logic work? I could see a realm option added to define what type of realm each should be. IE, you could then have a separate config for a prefix and suffix realm of the same name ( as much as that might be confusing ). It could also reduce the scope of the number of realms that have to searched for a match. radiusd.conf: realm suffix { format = suffix delimiter = "@" } realm prefix { format = prefix delimiter = "/" } Then in proxy.conf: realm foo.com { type = radius instance = suffix authhost = LOCAL accthost = LOCAL } realm bar { type = radius instance = prefix authhost = LOCAL accthost = LOCAL } Then, you would find a match for 'user@foo.com' but not 'foo.com/ user', and you would find a match for 'bar/user' but not 'user@bar'. I think that could be a useful feature. -Chris -- Chris Parker Director, Systems StarNet - US LEC, now a PAETEC Company (888)212-0099 Fax (847)963-1302 Wholesale Internet and VoIP Services http://www.megapop.net NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential.