On 14.11.2017 19.54, Robert Blayzor wrote:
I’m trying to figure out the best way to set a realm but need to fill in some
blanks on the order of operation.
Using a PreHandlerHook I am looking at the request and trying to set a Realm if
one does not exist.
My question is, if a Client has a DefaultRealm I assume that would appear in
get_attr('Realm’) ?
get_attr() only looks for attributes that are in the object's attribute
list. If you use Realm, for example in <Handler Realm=example.com>, what
happens is that the username is split with '@' as field delimiter and
the first field is used. In other words, Realm is not an attribute but a
value derived from the username.
I have clients that cannot have no DefaultRealm so need to set them based on
other attribute clues so..
Second question is, if RADIUS request comes in with user@realm in the UserName,
get_attr(‘Realm’) should be set with user supplied realm ?
Since get_attr('Realm') does not work, to get the realm part from the
username you need to do something like below (using shorthand syntax):
If no value is returned in get_attr('Realm’) I’m trying to set the realm based
on clues from another attribute; ie:
my $p = ${$_[0]};
#
# Split once from the first @
my $username = $p->getUserName();
my ($usernamepart, $realmpart) = split(/@/, $username, 2);
if (defined $realmpart && length($realmpart) > 0)
$p->add_attr('X-Realm', $realmpart)
else
# No realm part or it's zero length
$p->add_attr('X-Realm', ...); # Get value like below
unless (my $r = $p->get_attr('Realm')) {
if ($p->get_attr('Connect-Info') =~ /([^\.]+\.[^\.]+)$/) {
$p->add_attr('Realm') = $1;
}
}
Does the above make sense or should I be using change_attr instead of add_attr
for the realm?
If you do something like above, you can do <Handler X-Realm=...>. Since
there's no special X-Realm check item, this returns the attribute added
above.
Adding or changing attribute called 'Realm' will not work because Realm
gets its value from User-Name.
If you want to continue using Realm and want to update the User-Name,
call $p->changeUserName($newname) to update request's attribute cache
too. Both getUserName and changeUserName utilise attribute caching so
it's best to access the User-Name attribute with these two methods.
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator