addition to policy.conf

Stefan Winter stefan.winter at restena.lu
Mon Jun 4 11:40:11 CEST 2012


Hi,

one nit / smartass comment :-) on this one:


#
# Realm ends with a dot e.g. user at site.com.
#
if (User-Name =~ /\\.$/)  {
      update reply {
         Reply-Message = "misconfigured client. Realm ends with a dot"
      }
      reject
}


It's correct that RFC4282 forbids this construct.

However, the trailing dot is a perfectly valid construct for domain
names (in fact, every FQDN ends in a dot, it's just that convenience in
local resolvers "magically" adds them and users don't realise it).

When using DNS dynamic discovery, the realms

foo.bar           and
foo.bar.

are the SAME target, and both perfectly valid.

This is one area where RFC4282bis should give another thought - why
forbid these?

Well, for FreeRADIUS I guess it doesn't really matter... this is a 4282
syntax check, and the rule above is correct in rejecting realms with a
trailing dot. It's just a little uncomforting that things are as they
are :-/

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20120604/3e00dd63/attachment.pgp>


More information about the Freeradius-Devel mailing list