LDAP AD and SAMCompatibleName
Alan DeKok
aland at deployingradius.com
Tue Mar 26 10:48:52 UTC 2024
On Mar 26, 2024, at 1:48 AM, Andrei Katsuk <steep8 at gmail.com> wrote:
> When realm is defined as realm EXAMPLE it grants access for
> EXAMPLE\bob and bob at EXAMPLE.
Yes, I know...
> Currently we do not support the last format that is why I want to
> reject bob at EXAMPLE.
i.e. "it doesn't do anything wrong, but we don't want people using it".
So just *don't tell people* that it works? Document what works, and it should be fine.
For that matter, why support EXAMPLE/user *and* user at example.com? There is few good reasons to allow multiple formats for the same user. Why not simplify things, and just pick one of them?
99% of sites use either a bare name "user", or an email address "user at example.com".
>> Perhaps the "realm" module could be updated to mark if the realm is suffix or prefix. As always, patches are welcome.
>
> What should the modified "realm" module update ? Should it return
> some extra values or fill in some new attributes ?
The "realm" data structure can be modified to support a "format" string like the "realms" module.
See src/modules/rlm_realm/rlm_realm.c for the handling of data structures + parsing for "format = suffix".
See src/include/realms.h for the "realm" data structure.
See src/main/realms.c for parsing of the data structure.
Once all of that is fixed, the rlm_realms.c file can be modified to check that "realm->format == inst->format", and therefore ignore mismatched realms.
Alan DeKok.
More information about the Freeradius-Users
mailing list