If MSCHAP attributes exist, use for AuthN, otherwise, force Kerberos? Also, gracefully accepting @domain in username?

Alan DeKok aland at deployingradius.com
Wed Mar 10 23:04:45 CET 2021


On Mar 10, 2021, at 4:19 PM, Braden McGrath via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Unlang goes in the virtual server files (sites-{available,enabled}/*),
>> not in the users file (which is the module configuration file for
>> rlm_files).
> 
> This is also very helpful... is there an overview of what each file is
> supposed to do somewhere? There is *a lot* in here.

  Each file is extensively documented as to what it does, and what syntax it takes.  The "users" file has tons of comments at the top pointing you to "man users", and it also has a short description of the format of the "users" file.

  There's also raddb/sites-available/README, which describes what virtual servers are, and what can go into them.

  In short, if the documentation says you can do something, then it works.  If the document *doesn't* say that you can do something, then it won't work.

>> You can add a realm to proxy.conf, and let the rlm_realm module (see
>> "suffix" in the default virtual server) handle it, e.g.
>> 
>> realm realm.com {
>> }
>> 
>> Alternatively, add "split_username_nai" near the top of authorize{}
>> (from policy.d/canonicalization) which will put the stripped username in
>> Stripped-User-Name, but it will work for any realm, not just ones you've
>> listed.
> 
> I don't actually want to proxy to anywhere else, I just want to use it
> locally... I'm guessing this is just "the way it's done" though?

  Realms are "known domain names".  i.e. "user at example.com".  You don't put that string into LDAP, tho.  It's usually just "user".

  So the config:

realm example.com {
}

  tells the server that it's a local domain name / realm, and it's safe to split "user at example.com" into "user".

 This is all *extensively* documented in proxy.conf.  It explains what the differences are between local realms, and proxied realms.

> I'm fine with a failure for anything that doesn't match my predefined
> realm(s), though.
> Are realms (defined in proxy.conf) case-sensitive?

  Yes.

> I see the examples
> in the comments that mention regexp realms are NOT sensitive, but I'm
> guessing non-regex are?
> 
> I tried adding:
> realm foobar.net {
> }
> as well as
> realm FOOBAR.NET {
> }
> to proxy.conf, but I'm still getting complaints that the realm doesn't exist:
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "foobar.net" for User-Name = "testuser at foobar.net"
> (0) suffix: No such realm "foobar.net"
> 
> Do I actually need to populate the realm { } stanzas with ...
> something (like home_server or similar)? or should they look like the
> realm LOCAL { } does?

  You can have an empty realm definition, as Matthew and the documentation suggest.

  If it's not working for you, then something is configured incorrectly.  Run the server in debug mode to see what.

  Alan DeKok.




More information about the Freeradius-Users mailing list