unlang vs suffix

Khapare Joshi khapare77 at gmail.com
Fri Nov 7 13:05:20 CET 2014 

to follow up on my previous answer you can achieve with this lines:

      if (Realm =~ /(.+?\.iscte\.pt)$/) {
        update reply {
                        Reply-Message := "Sorry, We do not allow sub-domain
Please contact Helpdesk"
                        }
                        reject
                }


On Thu, Nov 6, 2014 at 5:08 PM, Khapare Joshi <khapare77 at gmail.com> wrote:

> ah this is the way to go. so basically disable suffix from both
> sites-enabled/default and sites-enabled/inner-tunnel, then have this unlang
> in sites-enabled/default authorized section -- nice
>
> ok now you are also proxing sub-domain.iscte.pt, maybe either
> sub-domain.iscte.pt Proxy-To-Realm := LOCAL or reject them, this way you
> won't proxing allpossiblesubdomain.iscte.pt to your EDUROAM,
>
> how is the correct unlang for rejecting or proxy to LOCAL for
> subdomain.iscte.pt  ?
>
>
>
>
>
> On Wed, Nov 13, 2013 at 4:50 PM, Arran Cudbard-Bell <
> a.cudbardb at freeradius.org> wrote:
>
>>
>> > I have a simple doubt; I have seen many times a couple of people saying
>> they prefer to use unlang than the suffix directive; what´s the advantage
>> of - supposing proxy.conf is adequately  configured, instead of doing
>>
>> Suffix is deprecated, it was remove from version 3.x.x because it
>> duplicated behaviour
>> available with unlang.
>>
>> If you want to use new versions of the server you don't have a choice.
>>
>> >
>> >
>> > suffix
>> >
>> > do instead (ignore the if part, I know it is missing in the example
>> above, it is here just for the sake of clarity):
>> >
>> >
>> >         if (!(User-Name =~ /^([^@]*)@(.+)$/)) {
>> >            update reply {
>> >               Reply-Message := "malformed username"
>> >            }
>> >            reject
>> >         }
>> >         else {
>> >            update request {
>> >                 Stripped-User-Name := "%{1}"
>> >                 Realm := "%{2}"
>> >            }
>> >            if (Realm == "iscte.pt") {
>> >               update control {
>> >                  Proxy-To-Realm := LOCAL
>> >               }
>> >            }
>> >            else {
>> >               update control {
>> >                  Proxy-To-Realm := EDUROAM
>> >               }
>> >            }
>> >         }
>>
>> Suffix is more magic. The logic isn't obvious to someone new to
>> FreeRADIUS, whereas writing it out explicitly in
>> unlang is easily understandable.
>>
>> It's also not obvious (by the name) that suffix will also setup proxying,
>> as well as mangling the username.
>>
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS Development Team
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141107/21603248/attachment.html>

More information about the Freeradius-Users mailing list