migration to rlm_perl with two user domains setup

Saša Babić sb at pharmacy.bg.ac.rs
Fri Aug 1 12:47:05 CEST 2014

Hi. My situation:
- freeradius 2.1.12 on debian,
- eap/ttls setup (eduroam) by someone who doesn't work here any more,
- pretty vague understanding of freeradius, I'm affraid,
- two separate groups of users (employees and students); user accounts 
in AD and in Postgresql,
- two virtual servers: eduroam & eduroam-inner-tunnel,
- each group uses its own domain for authentication (e.g. 
user at example.edu & user at sub.example.edu).

Right now I have a Ruby script which I planted instead of ntlm_auth 
(called by eduroam-inner-tunnel) that does the actual work. At the 
moment, the script accepts non-stripped User-Name, matches the domain 
and calls the appropriate method. Obviously not the most elegant 
solution, but it works.

Now I want to migrate the script to Perl and use rlm_perl, since it 
looks like rlm_ruby is not that mature.

If I understood correctly the way freeradius/rlm_perl works, the 
database connection should be set inside a CLONE() subroutine. Since my 
script connects to two different types of databases (LDAP & Postgresql), 
I'm thinking that it would be more elegant to use different virtual 
servers (per domain) with two different scripts. That way each virtual 
server would call a separate script (or rlm_perl module in the future), 
and each script could have its own CLONE() subroutine.

The confusing part is that eduroam-inner-tunnel virtual server is set in 
eap.conf in the ttls {} section. Can I do some sort of workflow controll 
there so that the actual virtual server is determined by the user's 
domain? Or is there a better way to do it?

BTW, I'm planning to migrate to freeradius 3.0.x at the same time, so 
any hints and/or examples for that version are more then welcome. Thanks.


More information about the Freeradius-Users mailing list