Applying the same rule to multiple values in an attribute/config value

Alex Perez-Mendez Alex.Perez-Mendez at
Thu Feb 14 21:17:50 CET 2019

Hi Alan,

a further question has come to my mind when configuring this "bangpath" 
When the conditions are met and it is executed, it provides a value to 
&Request:Realm, so "suffix" results in "noop" and, hence, it Rejects the 
authentication because in our "sites-enabled/abfab-tr-idp" file we have 
the following:
     suffix {
             updated = 1
             noop = reject

I'm not sure why this was set here. I guess because we wanted that if no 
realm was resolved using the Trust Router, it should fail right away 
(I'm not sure that's necessarily true, though, as I guess it will 
eventually fail nonetheless as it will try to authenticate a local user 
that does not exist).

But now we have two different resolvers instead of just one. Would it 
have any security implications if I removed the "noop" line? If I do 
that it works.
If that's not desirable, would it be acceptable to make the check that 
if &request:Realm is set, then circumvent the suffix module?

Best regards,

El 13/2/19 a las 14:40, Stefan Paetow escribió:
> Alrighty then.
> We'll have a pull request coming at you sometime in the near future.
> :-)
> Stefan Paetow
> Consultant, Trust and Identity
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at
> skype: stefan.paetow.janet
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> On 13/02/2019, 14:17, "Freeradius-Users on behalf of Alan DeKok" < at on behalf of aland at> wrote:
>      On Feb 12, 2019, at 6:26 PM, Stefan Paetow <Stefan.Paetow at JISC.AC.UK> wrote:
>      > Also, I also figured out how to resolve the other problem. Instead of looping, I do this:
>        That looks good.
>      > The only thing where I and someone else diverge on is that I've defined two strings because I don't accidentally want to trample all over any potentially-defined Tmp-String-* attributes. What say you? Better this way, or Tmp-String-* be damned?
>        Better to use well-known and named attributes for one purpose.  We can always add these attributes to the internal dictionary.
>        Alan DeKok.
>      -
>      List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez

More information about the Freeradius-Users mailing list