Strip off the domain part from the User-Name
Fajar A. Nugraha
list at fajar.net
Fri Mar 25 23:01:55 CET 2011
On Sat, Mar 26, 2011 at 5:00 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll <Robert.Roll at utah.edu> wrote:
>> A normal authorize might look like:
>>
>>
>> ldapAuthUser
>>
>> if( %Realm ) {
>> ldapAuthVLAN
>> }
>>
>> If one is smart about naming the Group in ldap the same as the Realm,
>> then one can quite easily construct a search filter in the ldap module to
>> look at the appropriate group in ldap. That group would actually have the
>> particular radiusReplyItem to return the correct VLAN...
>>
>> Note that in the above the Realm is quite useful, but there is NO need to
>> actually do proxy, so really no "REAL" need to get into the proxy.conf ?
>
> If you just want to split username at realm into username and realm, you
> should be able to use this in authorize section
>
> if ("%{request:User-Name}" =~ /^(.*)@/) {
Sorry, that should be
if ("%{request:User-Name}" =~ /^(.*)@(.*)/) {
> update request {
> Stripped-User-Name := "%{1}"
> Realm := "%{2}"
> }
> }
>
> As a side note, even if you only use freeradius locally (without any
> external server to proxy to), using proxy can be useful if you have
> multiple realms with different configurations. Using proxy you can
> split the request into different virtual servers based on their realm.
>
> --
> Fajar
>
More information about the Freeradius-Users
mailing list