Strip off the domain part from the User-Name

Robert Roll Robert.Roll at utah.edu
Fri Mar 25 23:09:47 CET 2011


>If you just want to split username at realm into username and realm, you
>should be able to use this in authorize section
>
>                if ("%{request:User-Name}" =~ /^(.*)@/) {
>                        update request {
>                               Stripped-User-Name := "%{1}"
>                                Realm := "%{2}"
>                        }
>                }
>

 Yes, thanks, and we may end up doing exactly that. However, I just
point out that freeradius OBVIOUSLY already has the capability to do
exactly this, so why re-invent the wheel ?

>As a side note, even if you only use freeradius locally (without any
>external server to proxy to), using proxy can be useful if you have
>multiple realms with different configurations. Using proxy you can
>split the request into different virtual servers based on their realm.
>--
>Fajar

  Yes, I do agree... As I said earlier, some of what I am doing is just to
try and experiment and see what is possible.  I'm actually quite impressed
with Freeradius and right now, we are still a ways from what I would consider
any kind of final configuration...

Thanks,

Robert

________________________________________
From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Fajar A. Nugraha [list at fajar.net]
Sent: Friday, March 25, 2011 4:00 PM
To: FreeRadius users mailing list
Subject: Re: Strip off the domain part from the User-Name

On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll <Robert.Roll at utah.edu> wrote:
>  A normal authorize might look like:
>
>
>   ldapAuthUser
>
>  if( %Realm ) {
>        ldapAuthVLAN
>  }
>
>    If one is smart about naming the Group in ldap the same as the Realm,
> then one can quite easily construct a search filter in the ldap module to
> look at the appropriate group in ldap. That group would actually have the
> particular  radiusReplyItem to return the correct VLAN...
>
>  Note that in the above the Realm is quite useful, but there is NO need to
> actually do proxy, so really no "REAL" need to get into the proxy.conf ?

If you just want to split username at realm into username and realm, you
should be able to use this in authorize section

                if ("%{request:User-Name}" =~ /^(.*)@/) {
                        update request {
                                Stripped-User-Name := "%{1}"
                                Realm := "%{2}"
                        }
                }

As a side note, even if you only use freeradius locally (without any
external server to proxy to), using proxy can be useful if you have
multiple realms with different configurations. Using proxy you can
split the request into different virtual servers based on their realm.

--
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list