From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 31 Dec 2015 00:51:43 +0000 (-0500)
Subject: more careful checks for realm comparisons
X-Git-Tag: release_3_0_11~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f78a0ef421aadbf984d7ca493f23dd410e72702;p=thirdparty%2Ffreeradius-server.git

more careful checks for realm comparisons
---

diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter
index f274c7dacad..0121f29b8f8 100644
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -169,11 +169,11 @@ filter_inner_identity {
 		#  the outer one is "example.com" and the inner
 		#  is "secure.example.com"
 		#
-		if (&Inner-Realm-Name && \
+		if (&Inner-Realm-Name && &Outer-Realm-Name && \
 		    (&Inner-Realm-Name != &Outer-Realm-Name) && \
 		    (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
 			update request {
-				Module-Failure-Message = "Inner and outer realms are not compatible"
+				Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
 			}
 			reject
 		}
@@ -181,5 +181,9 @@ filter_inner_identity {
 		#
 		#  It's OK to have an outer realm and no inner realm.
 		#
+
+		#
+		#  It's OK to have an inner realm and no outer realm.
+		#
 	}
 }