What is the best way to "block" the NULL realm ?
Blocking of any realm would also be very usefull if users from some other realm wouldn't be allowed to log into this network.
I've added a realm option that blocks a certain realm. This way I can deny access for users from certain realms and when used with a NULL realm, users are forced to always specify a @realm with their username :).
=============================================================== --- raddb/proxy.conf.orig 2004-03-08 14:08:16.000000000 +0100 +++ raddb/proxy.conf 2004-03-08 14:11:07.000000000 +0100 @@ -278,6 +278,14 @@ #}
#
+# All users have to enter [EMAIL PROTECTED] or their access is
+# blocked.
+#
+#realm NULL {
+# blocked
+#}
+
+#
# This realm is for ALL OTHER requests.
#
#realm DEFAULT {
--- doc/proxy.orig 2004-03-08 14:00:25.000000000 +0100
+++ doc/proxy 2004-03-08 14:07:02.000000000 +0100
@@ -67,6 +67,10 @@
user who enters '[EMAIL PROTECTED]' from being proxied if the 'foobar'
realm configuration contains 'notrealm'. This function used to be
called 'notsuffix', and the old syntax is still supported.
+ - blocked:
+ User access from blocked realm is denied. Usable for denying
+ access from the listed realm.
+2. WHAT HAPPENS
--- ./src/include/radiusd.h.orig 2004-03-08 13:23:44.000000000 +0100
+++ ./src/include/radiusd.h 2004-03-08 13:24:25.000000000 +0100
@@ -121,6 +121,7 @@
int striprealm;
int trusted; /* old */
int notrealm;
+ int blocked; /* realm is blocked and user should be
rejected */
int active; /* is it dead? */
time_t wakeup; /* when we should try it again */
int acct_active;
--- ./src/main/files.c.orig 2004-03-08 13:33:48.000000000 +0100
+++ ./src/main/files.c 2004-03-08 13:34:46.000000000 +0100
@@ -444,6 +444,8 @@
c->notrealm = 1;
if (strstr(opts, "notsuffix") != NULL)
c->notrealm = 1;
+ if (strstr(opts, "blocked") != NULL)
+ c->blocked = 1;
} c->next = NULL;
--- ./src/main/mainconfig.c.orig 2004-03-08 13:33:54.000000000 +0100
+++ ./src/main/mainconfig.c 2004-03-08 13:35:41.000000000 +0100
@@ -479,6 +479,8 @@
c->notrealm = 1;
if ((cf_section_value_find(cs, "notsuffix")) != NULL)
c->notrealm = 1;
+ if ((cf_section_value_find(cs, "blocked")) != NULL)
+ c->blocked = 1;
if ((t = cf_section_value_find(cs,"ldflag")) != NULL) {
static const LRAD_NAME_NUMBER ldflags[] = {
{ "fail_over", 0 },
--- ./src/modules/rlm_realm/rlm_realm.c.orig 2004-03-08 13:25:00.000000000 +0100
+++ ./src/modules/rlm_realm/rlm_realm.c 2004-03-08 13:32:46.000000000 +0100
@@ -212,6 +212,10 @@
* Perhaps accounting proxying was turned off.
*/
case PW_ACCOUNTING_REQUEST:
+ if (1 == realm->blocked) {
+ DEBUG2(" rlm_realm: Realm is blocked.");
+ break;
+ }
if (realm->acct_ipaddr == htonl(INADDR_NONE)) {
DEBUG2(" rlm_realm: Accounting realm is LOCAL.");
return NULL;
@@ -227,6 +231,10 @@
* Perhaps authentication proxying was turned off.
*/
case PW_AUTHENTICATION_REQUEST:
+ if (1 == realm->blocked) {
+ DEBUG2(" rlm_realm: Realm is blocked.");
+ break;
+ }
if (realm->ipaddr == htonl(INADDR_NONE)) {
DEBUG2(" rlm_realm: Authentication realm is LOCAL.");
return NULL;
@@ -353,6 +361,13 @@
} /*
+ * If realm is blocked, reject the request.
+ */
+ if (realm->blocked) {
+ return RLM_MODULE_REJECT;
+ }
+
+ /*
* Maybe add a Proxy-To-Realm attribute to the request.
*/
DEBUG2(" rlm_realm: Preparing to proxy authentication request to realm
\"%s\"\n",
@@ -371,9 +386,9 @@
const char *name = (char *)request->username->strvalue;
REALM *realm;- if (!name)
- return RLM_MODULE_OK;
-
+ if (!name) {
+ return RLM_MODULE_OK;
+ } /*
* Check if we've got to proxy the request.
@@ -385,6 +400,12 @@
return RLM_MODULE_NOOP;
}+ /*
+ * If realm is blocked, reject the request.
+ */
+ if (realm->blocked) {
+ return RLM_MODULE_REJECT;
+ } /*
* Maybe add a Proxy-To-Realm attribute to the request.
===============================================================-- Lep pozdrav, Rok Papez.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
