Matching Realms and Group-Membership
Hi, I've successfully set up freeradius and till now it is doing what I want - checking realms and prefixes and uses a postgres database backend. ;) Now I want to implement a check, that verifies if a user authenticating with 10000@realma.com is also in the group "realmA" and reject the request if this is not the case. This way I want to implement a "user X purchased product Y?" Already tried this: Adding in the radusergroup table: +------------------+-----------+-----------+ | username | groupname | priority | +------------------+-----------+-----------+ | 10000@realmA.com | realmA | 10 | +------------------+-----------+-----------+ And in the radgroupcheck table: +----+-----------+-----------+----+------------+ | id | groupname | attribute | op | value | |----+-----------+-----------+----+------------+ | 1 | realmA | Realm | != | realma.com | +----+-----------+-----------+----+------------+ And finally in the radgroupreply table: +----+-----------+---------------+----+-----------------------+ | id | groupname | attribute | op | value | +----+-----------+---------------+----+-----------------------+ | 1 | realmA | Auth-Type | := | Reject | +----+-----------+---------------+----+-----------------------+ And of course, my debug output says: rlm_realm: Adding Realm = "~^realmA.com$" I also tried adding "~^realmA.com$" as value in the radgroupcheck table with no success. I thought to already understood this concept... but adding "Auth-Type := Reject" in the radgroupcheck table works?! My expression in radgroupcheck also works - I verified this by adding "Reply-Message += Is this working?" within radgroupreply and the reply-message is added to the response. If anybody could assist me with this or just give me a hint it'd be great! Regards, Robert Borz.
Now I want to implement a check, that verifies if a user authenticating with 10000@realma.com is also in the group "realmA" and reject the request if this is not the case. This way I want to implement a "user X purchased product Y?"
Already tried this: Adding in the radusergroup table: +------------------+-----------+-----------+ | username | groupname | priority | +------------------+-----------+-----------+ | 10000@realmA.com | realmA | 10 | +------------------+-----------+-----------+
And in the radgroupcheck table: +----+-----------+-----------+----+------------+ | id | groupname | attribute | op | value | |----+-----------+-----------+----+------------+ | 1 | realmA | Realm | != | realma.com | +----+-----------+-----------+----+------------+
And finally in the radgroupreply table: +----+-----------+---------------+----+-----------------------+ | id | groupname | attribute | op | value | +----+-----------+---------------+----+-----------------------+ | 1 | realmA | Auth-Type | := | Reject | +----+-----------+---------------+----+-----------------------+
You do know that this doesn't do anything. If the password is linked to username 10000@realmA.com these group checks are pointless.
And of course, my debug output says: rlm_realm: Adding Realm = "~^realmA.com$"
That shouldn't happen. realm suffix should return realmA.com as Realm (without those regex things). Post the whole debug. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Robert Borz -
tnt@kalik.net