[RADIATOR] Realm processing via hook

Heikki Vatiainen hvn at open.com.au
Wed Nov 15 15:39:55 UTC 2017


On 14.11.2017 19.54, Robert Blayzor wrote:
> I’m trying to figure out the best way to set a realm but need to fill in some blanks on the order of operation.
> 
> Using a PreHandlerHook I am looking at the request and trying to set a Realm if one does not exist.
> 
> My question is, if a Client has a DefaultRealm I assume that would appear in get_attr('Realm’) ?

get_attr() only looks for attributes that are in the object's attribute 
list. If you use Realm, for example in <Handler Realm=example.com>, what 
happens is that the username is split with '@' as field delimiter and 
the first field is used. In other words, Realm is not an attribute but a 
value derived from the username.

> I have clients that cannot have no DefaultRealm so need to set them based on other attribute clues so..
> Second question is, if RADIUS request comes in with user at realm in the UserName, get_attr(‘Realm’) should be set with user supplied realm ?

Since get_attr('Realm') does not work, to get the realm part from the 
username you need to do something like below (using shorthand syntax):

> If no value is returned in get_attr('Realm’) I’m trying to set the realm based on clues from another attribute; ie:
> 
> 
>      my $p = ${$_[0]};
>      #

        # Split once from the first @
        my $username = $p->getUserName();
        my ($usernamepart, $realmpart) = split(/@/, $username, 2);

        if (defined $realmpart && length($realmpart) > 0)
            $p->add_attr('X-Realm', $realmpart)
        else
            # No realm part or it's zero length
            $p->add_attr('X-Realm', ...); # Get value like below

>      unless (my $r = $p->get_attr('Realm')) {
>          if ($p->get_attr('Connect-Info') =~ /([^\.]+\.[^\.]+)$/) {
>              $p->add_attr('Realm') = $1;
>          }
>      }
> 
> 
> Does the above make sense or should I be using change_attr instead of add_attr for the realm?

If you do something like above, you can do <Handler X-Realm=...>. Since 
there's no special X-Realm check item, this returns the attribute added 
above.

Adding or changing attribute called 'Realm' will not work because Realm 
gets its value from User-Name.

If you want to continue using Realm and want to update the User-Name, 
call $p->changeUserName($newname) to update request's attribute cache 
too. Both getUserName and changeUserName utilise attribute caching so 
it's best to access the User-Name attribute with these two methods.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.


More information about the radiator mailing list