Routing new RFC7542-style realms
Stefan Paetow
Stefan.Paetow at jisc.ac.uk
Sun Oct 2 17:28:50 CEST 2016
> If you have "realm1!user at realm2", then the packet MUST be routed by
>third parties to "realm2". Because it is the domain name which appears
>after the "@".
Yep. That's all fine.
> The existing "realm" module isn't smart enough to do this kind of
>double lookup. Though I suppose it shouldn't be too hard to add (hint
>hint). Just have it check for a realm, and if the realm is local, do
>*another* check for realm on the user portion.
>
> It can be done manually in "unlang". But it means replicating the
>logic in rlm_realm, and re-writing it unlang statements.
OK, I simply rewrite the User-Name *before* calling suffix? Because if I
do it after and then try to do something else like trying to get FR to
proxy it, I get 'Request already has destination realm set. Ignoring' (at
this point that's the realm to the right of the '@'). How do I reset that?
:-/
I have this in my authorize (after suffix):
if (&Stripped-User-Name ~= /[a-zA-Z0-9\-.]+)!(.+)/) {
update request {
User-Name := "%{2}@%{1}"
Realm !* ANY
}
}
But then... Because it previously identified this as a local realm, it
then tries to do authentication locally...
Any suggestions are helpful.
:-)
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
More information about the Freeradius-Users
mailing list