> ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working
hours similar to mine. (That is, all of them.)
> you'll be best off using a bit of unlang eg
> (put this in the authorize section of your main virtual server)
>
> if ( User-Name =~ /^host\//i ) {
> if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) {
> update control {
> Proxy-To-Realm := "col.missouri.edu"
> }
> }
> }
>
> this will then throw the packet to the the part of proxy.conf that has
> col.missouri.edu
>
>
> a bit of regex foo and you can use %{1} return operators etc
> rather than
> hardcode things if you want.... alternatively you can deal
> with what you know as yours
> and then identity what isnt yours and reject or proxy them
>
> machine auth can be pretty nasty...
That looks like Perl. Perl, I can deal with. I do have multiple domains to
attack. If I can come up with something generic that works for at least two
domains, I'll post it here. Looks predictable enough. I'm thinking along the
lines of something like this:
# BOL, "host", a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
update control {
Proxy-To-Realm := %{2};
}
}
I have two toddlers crawling on me at the moment (literally), so I haven't
checked unlang syntax, but from Perl, that's more or less what it would look
like. %{1} would contain the host name. Do I need to update the User-Name to
just %{1} and/or update other fields related to the realm (domain)?
It may be difficult to try this before tomorrow morning, since I'm now off
site, but I'll at least work at it until "radiusd -X" is happy with it.
Thanks!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
