Problem: Cannot expand %{Realm} or %{Suffix} control attributes for use unless
realm is explicitly defined in proxy.conf
I'm using freeradius2-2.1.7-7.el5 with ldap module. I would like to perform an
ldap dip to get the radiusProxyToRealm attribute for each request based on
Suffix as configured in modules/ldap:
filter = "(radiusRealm=%{Suffix})"
NOTE: If using <filter = "(radiusRealm=domain.com)"> in modules/ldap,
radiusProxyToRealm is returned successfully and things work as expected. In
this case the Proxy-To-Realm (which is mapped in ldap.attrmap) is set in ldap
to proxy.com and proxy.com is defined in proxy.conf.
Output from radiusd -X:
...
[suffix] Looking up realm "domain.com" for User-Name = "[email protected]"
[suffix] No such realm "domain.com"
++[suffix] returns noop
++[files] returns noop
[ldap] performing user authorization for [email protected]
[ldap] expand: (radiusRealm=%{Suffix}) -> (radiusRealm=)
...
After reading man unlang, I have also attempted (without success) to expand
using the following in ldap filter:
%{control:Realm}
%{control:Suffix}
%{suffix:User-Name}
%{realm:User-Name}
Finally, after revisiting man rlm_realm, I read the following which is of
concern as I don't see any other way to utilize the radiusProxyToRealm
attribute in ldap:
"In either case, a Realm attribute is created and added to the packet on a
match, which can be used by other modules."
Is there currently anyway to always match (regardless if the realm is defined
in proxy.conf) in order to create a Stripped-User-Name and Realm run-time
variable with every request?
Regards,
Rob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
