If you have "realm1!user@realm2", then the packet MUST be routed by third parties to "realm2". Because it is the domain name which appears after the "@".
Yep. That's all fine.
The existing "realm" module isn't smart enough to do this kind of double lookup. Though I suppose it shouldn't be too hard to add (hint hint). Just have it check for a realm, and if the realm is local, do *another* check for realm on the user portion.
It can be done manually in "unlang". But it means replicating the logic in rlm_realm, and re-writing it unlang statements.
OK, I simply rewrite the User-Name *before* calling suffix? Because if I do it after and then try to do something else like trying to get FR to proxy it, I get 'Request already has destination realm set. Ignoring' (at this point that's the realm to the right of the '@'). How do I reset that? :-/ I have this in my authorize (after suffix): if (&Stripped-User-Name ~= /[a-zA-Z0-9\-.]+)!(.+)/) { update request { User-Name := "%{2}@%{1}" Realm !* ANY } } But then... Because it previously identified this as a local realm, it then tries to do authentication locally... Any suggestions are helpful. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.