more careful checks for realm comparisons

author Alan T. DeKok <aland@freeradius.org>

Thu, 31 Dec 2015 00:51:43 +0000 (19:51 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)
author Alan T. DeKok <aland@freeradius.org>
Thu, 31 Dec 2015 00:51:43 +0000 (19:51 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)
diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter

index f274c7dacad999f33d7cee6f2cc7db5b9c43ab04..0121f29b8f83a033fdcd2dd2c787c9457383bf17 100644 (file)
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -169,11 +169,11 @@ filter_inner_identity {
                 #  the outer one is "example.com" and the inner
                 #  is "secure.example.com"
                 #
-               if (&Inner-Realm-Name && \
+               if (&Inner-Realm-Name && &Outer-Realm-Name && \
                     (&Inner-Realm-Name != &Outer-Realm-Name) && \
                     (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
                         update request {
-                               Module-Failure-Message = "Inner and outer realms are not compatible"
+                               Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
                         }
                         reject
                 }
@@ -181,5 +181,9 @@ filter_inner_identity {
                 #
                 #  It's OK to have an outer realm and no inner realm.
                 #
+
+               #
+               #  It's OK to have an inner realm and no outer realm.
+               #
         }
  }
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 31 Dec 2015 00:51:43 +0000 (19:51 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)