I should have exlained that rewrite example better. It would look more
like this.
attr_rewrite tester {
(if NAS-IP-Address = 10.0.0.1) * add this to the normal rules
attribute = Realm
searchin = packet
searchfor = NULL
replacewith = "mydomain2.com"
ignore_case = yes
new_attribute = no
max_matches = 10
append = no
}
Then in radius.conf I would have
authorize {
preprocess
suffix
tester
files
ldap {
notfound = return
}
}
On Wed, 5 Mar 2003, freeradius mailing list wrote:
>
> I am looking to do something similar. I am using the Realm that comes in
> as part of the username for authentication. We have an LDAP backend so
> we are doing something like this.
>
> filter = "(&(uid=%{Stripped-User-Name})(domain=%{Realm}))"
>
> If they come in with a user, such as [EMAIL PROTECTED], then the user lookup
> will be uid=me,domain=mydomain.com,o=myorganization. This is done so we
> can have a user named [EMAIL PROTECTED] and [EMAIL PROTECTED] be different
> users.
>
> I have used rlm_rewrite to rewrite a NULL into mydomain2. But, what I
> really need is the same functionality, but based on NAS-IP.
>
> For example,
>
> attr_rewrite tester {
> attribute = NAS-IP-Address
> searchin = packet
> searchfor = "10.0.0.1
> replacewith = "mydomain2.com"
> ignore_case = yes
> new_attribute = yes
> new_attribute_name = Realm
> max_matches = 10
> append = no
> }
>
>
>
> Any suggestions on using attr_rewrite or another method of doing this?
>
> Thanks
> Dustin Doris
>
>
>
>
> On Fri, 28 Feb 2003, Chris Parker wrote:
>
> > At 07:51 AM 2/28/2003 -0700, [EMAIL PROTECTED] wrote:
> > >Quoting Chris Parker <[EMAIL PROTECTED]>:
> > >
> > > > At 01:30 PM 2/21/2003 -0500, Derrik Pates wrote:
> > > > >On Fri, Feb 21, 2003 at 12:18:00PM -0600, Chris Parker wrote:
> > > > > > DEFAULT NAS-IP-Address == a.b.c.d, Proxy-To-Realm := "foobar"
> > > > > > Fall-Through = Yes
> > >
> > > > I believe it should be. You'll want to check it yourself to make sure
> > > > your setup is behaving as you want.
> > >
> > >I did try that, unfortunately no dice. I need to be able to set the realm, and
> > >then use it later in the 'users' file (for assigning Auth-Type/Autz-Type).
> > >
> > >You're going to say, "ok, so why not just assign those and forget about the
> > >realm?" Well, that'd be because we need to be able to set Simultaneous-Use
> > >restrictions based on LDAP groups, and I'd rather not have to duplicate that
> > >entire thing just for the IP address of one (or potentially more) RAS servers.
> > >
> > >Any other thoughts?
> >
> > If you are basing on NAS-IP-Address, why not use the 'Huntgroups' feature?
> >
> > -Chris
> > --
> > \\\|||/// \ StarNet Inc. \ Chris Parker
> > \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
> > | @ @ | \ http://www.starnetwx.net \ (847) 963-0116
> > oOo---(_)---oOo--\------------------------------------------------------
> > \ Wholesale Internet Services - http://www.megapop.net
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html