Expanding Suffix or Realm attributes
Rob Turner
rob at crosscut.org
Wed Jun 30 03:55:57 CEST 2010
Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless realm is explicitly defined in proxy.conf
I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an ldap dip to get the radiusProxyToRealm attribute for each request based on Suffix as configured in modules/ldap:
filter = "(radiusRealm=%{Suffix})"
NOTE: If using <filter = "(radiusRealm=domain.com)"> in modules/ldap, radiusProxyToRealm is returned successfully and things work as expected. In this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap to proxy.com and proxy.com is defined in proxy.conf.
Output from radiusd -X:
...
[suffix] Looking up realm "domain.com" for User-Name = "test at domain.com"
[suffix] No such realm "domain.com"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for test at domain.com
[ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=)
...
After reading man unlang, I have also attempted (without success) to expand using the following in ldap filter:
%{control:Realm}
%{control:Suffix}
%{suffix:User-Name}
%{realm:User-Name}
Finally, after revisiting man rlm_realm, I read the following which is of concern as I don't see any other way to utilize the radiusProxyToRealm attribute in ldap:
"In either case, a Realm attribute is created and added to the packet on a match, which can be used by other modules."
Is there currently anyway to always match (regardless if the realm is defined in proxy.conf) in order to create a Stripped-User-Name and Realm run-time variable with every request?
Regards,
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100629/e0395235/attachment.html>
More information about the Freeradius-Users
mailing list