On Tue, Jan 25, 2011 at 01:52:21PM +0100, Alan DeKok wrote: > The named realms are used by the "realms" module to find a matching name. > > > Looks like up until 2.1.8, the AVP Realm was always created with > > Realm-the-character-string as it came from the request, but with 2.1.9, > > this changed to Realm-the-instance-name. > > Hmm... I think it's the other way around. In 2.1.9, a regex realm > results in "Realm = match", instead of "Realm = regex".
Correct. > > Problem is, both of these can be valuable somehow, and need to be > > addressable. In a rlm_linelog, I care about logging the actual input; at > > other places, I may want to check which path the packet will take. > > > > In short, I think there should be two attributes: one to contain the > > instance name, one with the string. Using unlang is of course possible, > > but clumsy - it worked without before. > > There's utility creating two attributes, I think. CPU cycles are burned within the rlm_realm to extract both, the realm as entered by the user and the matched proxy.conf realm entry. The Proxy-To-Realm attribute holds the latter value (realm_authorize & realm_preacct function calls). The Realm attribute is set to the same value except holding a regex. It's set to the former value in such a case. In other words, "DEFAULT" proxy.conf entry is the only case, when the Realm attribute doesn't exactly match (string, case insensitive) the realm as entered by the user. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
