hello alexander,


thanks alot for this piece of code. but now i have a problem with getting this to work.
in radiusd.conf i have an 

$INCLUDE policy.conf

and in my authorize section i got the following:

authorize {
                auth_log
                validate_username
                suffix
                eap {
                        ok =  return
                }
        }

upon restarting i get the following:

/etc/raddb/sites-enabled/eduroam[9]: Failed to find module "validate_username".
/etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section. 

any hints?

-euro

On Tue, Oct 27, 2009 at 11:09 AM, Alexander Clouter <alex@digriz.org.uk> wrote:
mr typo <euroregistrar@gmail.com> wrote:
>
> i was trying to reject those "double" realm.
> but i cannot find the right syntax and/or where to put the lines.
>
> i was trying to put this lines in the user file:
> DEFAULT User-Name =~ "/^.*@company.com@.*/"
>   Auth-Type := Reject
>
>
> that did not work.
> when putting:
> if (User-Name ~= /^.*@company.com@.*/) {
>  reject
> }
> in the server configuration in authorize section, i get a strange error..
>
> i am quite new with configuring freeradius, it would be nice if someone
> could give me some real hint how to and where
> reject those double @ @
>
In addition to my blackholing I now have added to my policy.conf file:
----
# only needs to be close enough to catch unroutable guff
validate_username {
       if (User-Name !~ /@/ \
                      || ( \
                               User-Name !~ /@.*@/ \
                               && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
                      ) \
       ) {
               ok
       }
       else {
               update reply {
                       Reply-Message := "Invalid User-Name Syntax"
               }
               reject
       }
}
----

Then in your authorize section you just place 'validate_username' and it
looks after everything for you.

What the above bumpf does is:
 * permit realmless (usernames without an '@') through, these are
       rejected later by matching against the NULL realm (*important*)
 * if there is an '@' in there then it
  * reject's if there are two or more '@'s
  * reject if the *realm* is not valid, for example the realm *must*
       be made up of at least two parts, and the end part must be at
       least two characters long

Hope that helps

Cheers

--
Alexander Clouter
.sigmonster says: The best things in life are for a fee.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html