On 06/02/2012 10:34 PM, alan buxey wrote:
cheers - some peoples styles differ. I will test/verify the other operation. I'm also keen on those who can supply combined REGEX foo - such as making a single
We use the following: if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{toupper:%{2}}" } } else { update control { Reply-Message := "username is not RFC2486 compliant" } reject } A few things to note about this regexp: 1. It doesn't check any syntactic validity of the username part; just the realm. I'm not confident enough that an inclusive list e.g. a-zA-Z0-9 is "safe" for usernames; especially since in theory they're UTF-8 2. It will allow realms of the form -a.-b.-c because I just use a single range for all characters in the realm. 3. It doesn't blacklist any common typos e.g. ax.uk, uk.ac, etc. I'm not certain this is a sensible thing for end sites to do; bogon lists have a nasty habit of getting stale unless they're fed from a central source in a totally automated fashion. I know AlexC was keen on rlm_is_realm_in_dns (or something) but equally that prevents people having legit realms that aren't resovable (either publicly or at all)
check for e.g. begins with . or ends with . (or would people prefer each rule to be seperate so that locally they could easily just comment out a rule that wouldnt apply to them?)
Ideally, it should be so simple that no-one ever has cause to do anything other than enable the policy. Separate entries allow for more granular reply-message values I guess.