how to manage dynamic list of realms
Gil Sudai
gilsudai at gmail.com
Fri Sep 7 15:39:13 CEST 2018
Thanks Alan. I will look into what you suggest.
On Fri, Sep 7, 2018, 14:46 Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 7, 2018, at 3:10 AM, Gil Sudai <gilsudai at gmail.com> wrote:
> > I am planning following solution: A system where companies (aka realm in
> > radius?) can be added or remove dynamically. And for each company there
> is
> > a dynamic list of users. For example user at comp-1com, user at comp-2.com,
> etc.
>
> That's simple to do.
>
> > Users will authenticate with name and password.
> >
> > I would like tips and pointers for further reading regarding the
> following
> > questions:
> >
> > - Is it possible to add & remove a company (realm?) dynamically without
> > restarting the radius server?
>
> Yes and no. If you use the proxy.conf file to define realms, it will
> only be re-read when the server starts.
>
> But you don't need to define realms there. The realms are defined there
> only for ease of proxying. If you're not proxying, you can define realms
> anywhere.
>
> > - How to setup the radius to support multiple (dynamic) realms?
>
> Match the username as a regular expression. Parse the realm off that
> way. Put the realms into a separate DB table:
>
> if (User-Name =~ /^([^@]+)@([^@+)$/) {
> update request {
> Stripped-User-Name := "%{1}"
> Realm := "%{2}"
> }
> }
>
> Then, look the realm up in an SQL table. You will have to create this
> table yourself, and customize the query:
>
> #
> # Realms NOT in the able get rejected
> #
> if ("{%sql:SELECT realm FROM realmstable WHERE realm =
> '%{Realm}'}" == "") {
> reject
> }
>
> > - I want to put the users in postgresql db. When a user is added to a
> > company my code will add it to the db. To store all users from all realms
> > will be in a single db table (realm would be a column) or in different db
> > tables?
>
> However you want. Once you have verified that the realm is known, you
> can structure SQL any way you want.
>
> You can edit the SQL queries in mods-config/sql/main/... to include the
> %{Realm} attribute as part of the table name.
>
> Then, create a table for each realm: radcheck_example.com,
> radreply_example.com, radacct_example.com, etc.
>
> > - do I need to use virtual servers for that or only realms?
>
> You don't need different virtual servers.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list