Re: Setting Realm attribute based on NAS-IP-Address?

Wed, 05 Mar 2003 16:10:52 -0800 

I am looking to do something similar.  I am using the Realm that comes in
as part of the username for authentication.  We have an LDAP backend so
we are doing something like this.

filter = "(&(uid=%{Stripped-User-Name})(domain=%{Realm}))"

If they come in with a user, such as [EMAIL PROTECTED], then the user lookup
will be uid=me,domain=mydomain.com,o=myorganization.  This is done so we
can have a user named [EMAIL PROTECTED] and [EMAIL PROTECTED] be different
users.

I have used rlm_rewrite to rewrite a NULL into mydomain2.  But, what I
really need is the same functionality, but based on NAS-IP.

For example,

        attr_rewrite tester {
                attribute = NAS-IP-Address
                searchin = packet
                searchfor = "10.0.0.1
                replacewith = "mydomain2.com"
                ignore_case = yes
                new_attribute = yes
                new_attribute_name = Realm
                max_matches = 10
                append = no
        }



Any suggestions on using attr_rewrite or another method of doing this?

Thanks
Dustin Doris




On Fri, 28 Feb 2003, Chris Parker wrote:

> At 07:51 AM 2/28/2003 -0700, [EMAIL PROTECTED] wrote:
> >Quoting Chris Parker <[EMAIL PROTECTED]>:
> >
> > > At 01:30 PM 2/21/2003 -0500, Derrik Pates wrote:
> > > >On Fri, Feb 21, 2003 at 12:18:00PM -0600, Chris Parker wrote:
> > > > > DEFAULT   NAS-IP-Address == a.b.c.d, Proxy-To-Realm := "foobar"
> > > > >        Fall-Through = Yes
> >
> > > I believe it should be.  You'll want to check it yourself to make sure
> > > your setup is behaving as you want.
> >
> >I did try that, unfortunately no dice. I need to be able to set the realm, and
> >then use it later in the 'users' file (for assigning Auth-Type/Autz-Type).
> >
> >You're going to say, "ok, so why not just assign those and forget about the
> >realm?" Well, that'd be because we need to be able to set Simultaneous-Use
> >restrictions based on LDAP groups, and I'd rather not have to duplicate that
> >entire thing just for the IP address of one (or potentially more) RAS servers.
> >
> >Any other thoughts?
>
> If you are basing on NAS-IP-Address, why not use the 'Huntgroups' feature?
>
> -Chris
> --
>     \\\|||///  \          StarNet Inc.      \         Chris Parker
>     \ ~   ~ /   \       WX *is* Wireless!    \   Director, Engineering
>     | @   @ |    \   http://www.starnetwx.net \      (847) 963-0116
> oOo---(_)---oOo--\------------------------------------------------------
>                    \ Wholesale Internet Services - http://www.megapop.net
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to