3.2.0: dynamic_home_servers ?
Stefan Winter
stefan.winter at restena.lu
Tue May 31 12:51:51 UTC 2022
Hi again,
I'm now trying this out in a more near-life environment with a long list
of statically defined realms from proxy.conf AND dynamic discovery.
It appears that the case "0" - realm exists and is statically defined -
doesn't really work, or I misunderstand what statically defined means in
this context.
In authorize, I call suffix and later the "case" conditional for dynamic
home servers.
- suffix finds the realm, sets Proxy-To-Realm
- switch does NOT consider the realm statically defined and triggers
dynamic discovery instead. This looks as follows:
EXPAND %{home_server_dynamic:%{1}}
-->
even though suffix has loaded the realm list and has already set
Proxy-To-Realm. Full debug below, plus the realm definition:
I'm musing whether "statically defined" merely means that a realm was in
the home_servers/ directory at startup already; and dynamic means it was
added during runtime? That would make the whole statement much less
useful...
Stefan
home_server server_158.64.1.8 {
ipaddr = 158.64.1.8
port = 0
type = "auth+acct"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server server_158.64.1.43 {
ipaddr = 158.64.1.43
port = 0
type = "auth+acct"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool education.lu_pool {
type = fail-over
home_server = server_158.64.1.8
home_server = server_158.64.1.43
}
realm education.lu {
pool = education.lu_pool
nostrip
}
Ready to process requests
Thread 1 waiting to be assigned a request
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 254 from 127.0.0.1:56410 to
127.0.0.1:11812 length 95
(0) User-Name = "stefan at education.lu"
(0) User-Password = "test123"
(0) NAS-IP-Address = 158.64.1.52
(0) NAS-Port = 123
(0) Message-Authenticator = 0x169c5902b42c13cc9e5b4a06aa5f419a
(0) Framed-Protocol = PPP
(0) # Executing section authorize from file
/opt/freeradius/3.2.0/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "education.lu" for User-Name =
"stefan at education.lu"
(0) suffix: Found realm "education.lu"
(0) suffix: Adding Realm = "education.lu"
(0) suffix: Proxying request from user stefan at education.lu to realm
education.lu
(0) suffix: Preparing to proxy authentication request to realm
"education.lu"
(0) [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) update control {
(0) Executing:
%{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
(0) -->
/opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh
(0) EXPAND %{1}
(0) --> education.lu
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}
(0) --> /opt/freeradius/3.2.0
... new connection request on command socket
On 31.05.22 14:35, Alan DeKok wrote:
> On May 31, 2022, at 4:32 AM, Stefan Winter<stefan.winter at restena.lu> wrote:
>> Ah! Could have figured that out myself, I guess.
> It took me a bit of staring at things (and checking the code) to figure it out. I'm a big fan of useful error messages, so that one had to be fixed/
>
>> With this, I now have a patchset to fully automate dynamic lookup, using the naptr-eduroam.sh script from radsecproxy as a discovery base (adapted to also work with RFC7585 NAPTR targets and with that, OpenRoaming).
> Nice!
>
>> This is WIP here:https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:restena-sw-patch-1
> I'll take a look at the PR, thanks.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
More information about the Freeradius-Users
mailing list