Realm attribute population
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 25 14:57:38 CEST 2013
On 25/07/13 10:43, stefan.paetow at diamond.ac.uk wrote:
> Alan,
>
> https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that after v2.1.9, "%{Realm}" would contain "DEFAULT", not whatever the realm extracted from User-Name was, when used in logging... Hence my question.
>
> Of course, if this is no longer an issue, then I'll happily amend our instructions to leave the DEFAULT realm as-is. Also, when I wrote "DEFAULT {}", it was a shortening (for the sake of brevity) of:
>
> realm DEFAULT {
> authhost = blah
> etc etc etc
> }
>
> I was just trying to save some lines and extraneous text here.
IMHO you're much better off avoiding the "realm" module, and handling
the processing yourself in unlang, particularly if you're using doing an
eduroam or other federation. This lets "Realm" and "Proxy-To-Realm" be
different values, and for extended checking to be done on the realm value.
We do something like this:
authorize {
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
Realm := "%{toupper:%{2}}"
}
if ((Realm == "MY.REALM1") || (Realm == "MY.REALM2")) {
update control {
Proxy-To-Realm := "MYREALM"
}
}
elsif (Realm !~ /^([-A-Z0-9]+\.)+[-A-Z0-9]+/) {
# invalid realm format
reject
}
else {
update control {
Proxy-To-Realm := "EDUROAM"
}
}
}
else {
reject
}
}
More information about the Freeradius-Users
mailing list