Expanding Suffix or Realm attributes

Rob Turner rob at crosscut.org
Wed Jun 30 03:55:57 CEST 2010

Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless realm is explicitly defined in proxy.conf 

I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an ldap dip to get the radiusProxyToRealm attribute for each request based on Suffix as configured in modules/ldap: 

filter = "(radiusRealm=%{Suffix})" 

NOTE: If using <filter = "(radiusRealm=domain.com)"> in modules/ldap, radiusProxyToRealm is returned successfully and things work as expected. In this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in proxy.conf. 

Output from radiusd -X: 
[suffix] Looking up realm "domain.com" for User-Name = "test at domain.com" 
[suffix] No such realm "domain.com" 
++[suffix] returns noop 
++[files] returns noop 
[ldap] performing user authorization for test at domain.com 
[ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=) 

After reading man unlang, I have also attempted (without success) to expand using the following in ldap filter: 


Finally, after revisiting man rlm_realm, I read the following which is of concern as I don't see any other way to utilize the radiusProxyToRealm attribute in ldap: 

"In either case, a Realm attribute is created and added to the packet on a match, which can be used by other modules." 

Is there currently anyway to always match (regardless if the realm is defined in proxy.conf) in order to create a Stripped-User-Name and Realm run-time variable with every request? 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100629/e0395235/attachment.html>

More information about the Freeradius-Users mailing list