Strip off the domain part from the User-Name

Robert Roll Robert.Roll at utah.edu
Fri Mar 25 22:45:18 CET 2011


>  Uh.. if you don't read the documentation and don't understand what>
> you're doing, it probably won't do what you want.

 Sometimes true, sometimes not :)

>  Rather than randomly making changes, perhaps you could explain what
> you're trying to do, and why.

 Right now, I'm just experimenting and trying to learn how things work...

 In any case, to give you an idea of one of the things I was thinking about...

   One idea, is that we have a number of departments that want to be put into
 a particular VLAN when they login.  When a user normally logs in, they simply
use their username. This simply puts them in the general user VLAN. However,
if they login with  username at department,  and they are authorized, we will return
the particular radius attribute to put them into their specific department VLAN.

 A normal authorize might look like:
 
  
   ldapAuthUser

  if( %Realm ) {
        ldapAuthVLAN
  }

    If one is smart about naming the Group in ldap the same as the Realm, 
then one can quite easily construct a search filter in the ldap module to
look at the appropriate group in ldap. That group would actually have the
particular  radiusReplyItem to return the correct VLAN...

  Note that in the above the Realm is quite useful, but there is NO need to
actually do proxy, so really no "REAL" need to get into the proxy.conf ?

Thanks,

Robert



________________________________________
From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Alan DeKok [aland at deployingradius.com]
Sent: Friday, March 25, 2011 1:09 PM
To: FreeRadius users mailing list
Subject: Re: Strip off the domain part from the User-Name

Robert Roll wrote:
> We're currently running 2.1.10..
>
>  I seemed to notice that the "Out of the Box Config" does not seem to actually create
> a Stripped-Username and Realm.

  It creates those attributes if you define a realm.  If you don't
define a realm, it doesn't know how to create a "Realm" attribute.

> I did find that when I created a "real" realm in the proxy.conf
> file, then a Stripped-Username and Realm were available.

  Yes...

> So, I thought that if I really wanted
> ALL usernames "stripped" into their component parts, I would just change the example.com realm
> in the proxy.conf file to be "DEFAULT" ?  This then seemed to send the request into some sort of
> endless loop ?

  Uh.. if you don't read the documentation and don't understand what
you're doing, it probably won't do what you want.

  Rather than randomly making changes, perhaps you could explain what
you're trying to do, and why.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list