On 14.11.2017 19.54, Robert Blayzor wrote:
I’m trying to figure out the best way to set a realm but need to fill in some 
blanks on the order of operation.

Using a PreHandlerHook I am looking at the request and trying to set a Realm if 
one does not exist.

My question is, if a Client has a DefaultRealm I assume that would appear in 
get_attr('Realm’) ?

get_attr() only looks for attributes that are in the object's attribute list. If you use Realm, for example in <Handler Realm=example.com>, what happens is that the username is split with '@' as field delimiter and the first field is used. In other words, Realm is not an attribute but a value derived from the username.

I have clients that cannot have no DefaultRealm so need to set them based on 
other attribute clues so..
Second question is, if RADIUS request comes in with user@realm in the UserName, 
get_attr(‘Realm’) should be set with user supplied realm ?

Since get_attr('Realm') does not work, to get the realm part from the username you need to do something like below (using shorthand syntax):

If no value is returned in get_attr('Realm’) I’m trying to set the realm based 
on clues from another attribute; ie:

     my $p = ${$_[0]};

       # Split once from the first @
       my $username = $p->getUserName();
       my ($usernamepart, $realmpart) = split(/@/, $username, 2);

       if (defined $realmpart && length($realmpart) > 0)
           $p->add_attr('X-Realm', $realmpart)
           # No realm part or it's zero length
           $p->add_attr('X-Realm', ...); # Get value like below

     unless (my $r = $p->get_attr('Realm')) {
         if ($p->get_attr('Connect-Info') =~ /([^\.]+\.[^\.]+)$/) {
             $p->add_attr('Realm') = $1;

Does the above make sense or should I be using change_attr instead of add_attr 
for the realm?

If you do something like above, you can do <Handler X-Realm=...>. Since there's no special X-Realm check item, this returns the attribute added above.

Adding or changing attribute called 'Realm' will not work because Realm gets its value from User-Name.

If you want to continue using Realm and want to update the User-Name, call $p->changeUserName($newname) to update request's attribute cache too. Both getUserName and changeUserName utilise attribute caching so it's best to access the User-Name attribute with these two methods.


Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
radiator mailing list

Reply via email to