Changing domain for ntlm_auth

Phil Mayers p.mayers at
Thu Jan 26 12:24:56 CET 2012

On 01/26/2012 09:36 AM, NdK wrote:

> Since it seems I have to do EXACTLY the same mapping both in "default"
> and "inner-tunnel" sites, I saved my "if" chain in and used
> $INCLUDE to insert it in both virtual servers, just after the opening
> brace of authorize. Hope it's the correct thing to do :) (even if
> there's a "suspect" preprocess module in 'default' thats smells like a
> candidate...).

You can re-use bits of "unlang" as virtual modules. See "policy.conf". 
This is often a bit neater than $INCLUDE.

I do exactly this, for exactly this case (username/realm processing).

> Too bad it seems unlang doesn't like :
> if (cond) {
> ...
> } elsif (othercond) {

Well, no.

FreeRADIUS config is basically:

block {
   item = value
   sub-block {
   sub-block2 {

"if", "elsif" are just blocks. Blocks need to start on their own line.

The name is intended as a hint here - it's NOT a programming language. 
It's a syntax for writing authentication policies and rules, that is a 
bit like a language.

> That seems quite a serious limit in the unlang grammar...

That's quite a statement. Can't you just hit "return" after "}"?

More information about the Freeradius-Users mailing list