addition to policy.conf

Brian Candler B.Candler at
Sun Jun 3 21:38:20 CEST 2012

On Sat, Jun 02, 2012 at 10:34:25PM +0100, alan buxey wrote:
> cheers - some peoples styles differ. I will test/verify the other operation.
> I'm also keen on those who can supply combined REGEX foo - such as making a single
> check for e.g. begins with . or ends with .   (or would people prefer each rule
> to be seperate so that locally they could easily just comment out a rule that wouldnt
> apply to them?)

I think your ruleset is more or less equivalent to:

User-Name =~ /^[^@]*$| |@.*@|\\.\\.|@[^.]*$|\\.$|@\\./    --> invalid

But I don't really see the point. Why not simply proxy it to the
authoritative server, and let that server reply that it's invalid?  Why
distribute policy about which realms may (or may not) be valid all over the
place?  Such policy, if it is ever wrong, is likely to lead to
difficult-to-debug problems.

For an example of how this breaks things, look at all those websites which
validate domains to only .com, .net, .org and so on.  Now that hundreds of
new TLDs are coming along, those sites will all erroneously reject perfectly
valid domains.  The DNS is a database, so you may as well just query it, and
get the additional benefit of rejecting specific non-existent domains.

The same argument applies to RADIUS proxying IMO.

More information about the Freeradius-Devel mailing list