From: Arran Cudbard-Bell Date: Thu, 30 Jun 2011 15:44:29 +0000 (+0200) Subject: Add NAI (RFC 4282) User-Name splitting policy X-Git-Tag: release_3_0_0_beta0~740 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=540dcb8a733662a6abd12e79839784e67bc052ba;p=thirdparty%2Ffreeradius-server.git Add NAI (RFC 4282) User-Name splitting policy --- diff --git a/raddb/policy.conf b/raddb/policy.conf index 7cab32742ee..918c20d880f 100644 --- a/raddb/policy.conf +++ b/raddb/policy.conf @@ -24,8 +24,9 @@ policy { # acct_unique { # - # If we have a class attribute, it'll have a local value (defined by populate_class), - # this ensures uniqueness and suitability. + # If we have a class attribute in the format 'auth_id:[0-9a-f]{32}' it'll have a local + # value (defined by insert_acct_class), this ensures uniquenes and suitability. + # # We could just use the Class attribute as Acct-Unique-Session-Id, but this may cause # problems with NAS that carry Class values across between multiple linked sessions. # So we rehash class with Acct-Session-ID to provide a truely unique session identifier. @@ -86,6 +87,28 @@ policy { } } + # + # Split User-Name in NAI format (RFC 4282) into components + # + # This policy writes the Username and Domain portions of the NAI into the + # Stripped-User-Name and Stripped-User-Domain attributes. + # + # The regular expression to do this is not strictly compliant with the standard, + # but it is not possible to write a compliant regexp without perl style + # regular expressions (or at least not a legible one). + # + split_username_nai { + if(User-Name =~ /^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$/){ + update request { + Stripped-User-Name := "%{1}" + Stripped-User-Domain = "%{3}" + } + } + else{ + noop + } + } + # # Forbid all attempts to login via realms. #