New User and AD Question

McNutt, Justin M. McNuttJ at
Tue Mar 1 01:52:55 CET 2011

> ignore me. i'm tired. yes, this is a little bit of pain.  

I understand.  I wondered about that when I saw the  You must be working hours similar to mine.  (That is, all of them.)

> you'll be best off using a bit of unlang eg
> (put this in the authorize section of your main virtual server)
>     if ( User-Name =~ /^host\//i ) {
>         if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) {
>             update control {
>                 Proxy-To-Realm := ""
>             	}
>         }  
>     }  
> this will then throw the packet to the the part of proxy.conf that has
> a bit of regex foo and you can use %{1} return operators etc 
> rather than
> hardcode things if you want.... alternatively you can deal 
> with what you know as yours
> and then identity what isnt yours and reject or proxy them
> machine auth can be pretty nasty...

That looks like Perl.  Perl, I can deal with.  I do have multiple domains to attack.  If I can come up with something generic that works for at least two domains, I'll post it here.  Looks predictable enough.  I'm thinking along the lines of something like this:

# BOL, "host", a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
	update control {
		Proxy-To-Realm := %{2};

I have two toddlers crawling on me at the moment (literally), so I haven't checked unlang syntax, but from Perl, that's more or less what it would look like.  %{1} would contain the host name.  Do I need to update the User-Name to just %{1} and/or update other fields related to the realm (domain)?

It may be difficult to try this before tomorrow morning, since I'm now off site, but I'll at least work at it until "radiusd -X" is happy with it.



More information about the Freeradius-Users mailing list