how to manage dynamic list of realms

Gil Sudai gilsudai at gmail.com
Fri Sep 7 15:39:13 CEST 2018


Thanks Alan.  I will look into what you suggest.



On Fri, Sep 7, 2018, 14:46 Alan DeKok <aland at deployingradius.com> wrote:

> On Sep 7, 2018, at 3:10 AM, Gil Sudai <gilsudai at gmail.com> wrote:
> > I am planning following solution:  A system where companies (aka realm in
> > radius?) can be added or remove dynamically. And for each company there
> is
> > a dynamic list of users. For example user at comp-1com, user at comp-2.com,
> etc.
>
>   That's simple to do.
>
> > Users will authenticate with name and password.
> >
> > I would like tips and pointers for further reading regarding the
> following
> > questions:
> >
> > - Is it possible to add & remove a company (realm?) dynamically without
> > restarting the radius server?
>
>   Yes and no.  If you use the proxy.conf file to define realms, it will
> only be re-read when the server starts.
>
>   But you don't need to define realms there.  The realms are defined there
> only for ease of proxying.  If you're not proxying, you can define realms
> anywhere.
>
> > - How to setup the radius to support multiple (dynamic) realms?
>
>   Match the username as a regular expression. Parse the realm off that
> way.  Put the realms into a separate DB table:
>
>         if (User-Name =~ /^([^@]+)@([^@+)$/) {
>                 update request {
>                         Stripped-User-Name := "%{1}"
>                         Realm := "%{2}"
>                 }
>         }
>
>   Then, look the realm up in an SQL table.  You will have to create this
> table yourself, and customize the query:
>
>         #
>         #  Realms NOT in the able get rejected
>         #
>         if ("{%sql:SELECT realm FROM realmstable WHERE realm =
> '%{Realm}'}" == "") {
>                 reject
>         }
>
> > - I want to put the users in postgresql db. When a user is added to a
> > company my code will add it to the db. To store all users from all realms
> > will be in a single db table (realm would be a column) or in different db
> > tables?
>
>   However you want.  Once you have verified that the realm is known, you
> can structure SQL any way you want.
>
>   You can edit the SQL queries in mods-config/sql/main/... to include the
> %{Realm} attribute as part of the table name.
>
>   Then, create a table for each realm:  radcheck_example.com,
> radreply_example.com, radacct_example.com, etc.
>
> > - do I need to use virtual servers for that or only realms?
>
>   You don't need different virtual servers.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list