summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2007-05-23 08:26:04 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2007-05-23 08:26:04 +0000
commit9eebebe0b40c6456fa974c744c48f07ed2f53f7f (patch)
tree2ef44c743e733f440c608ea474cf7f388e8d53ba
parentb1cf2a9afe47bfd3872ccaf88b1470080fd84633 (diff)
now uses regexp for realms including warnings that will be removed later
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@96 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--radsecproxy.c32
-rw-r--r--radsecproxy.conf-example19
2 files changed, 18 insertions, 33 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index a3d8ff5..079aaa8 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -995,30 +995,6 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
}
struct server *id2server(char *id, uint8_t len) {
-#ifndef REGEXP
- int i;
- char *idrealm;
- struct server *deflt = NULL;
-
- idrealm = strchr(id, '@');
- if (idrealm) {
- idrealm++;
- len -= idrealm - id;
- } else {
- idrealm = "-";
- len = 1;
- }
-
- for (i = 0; i < realm_count; i++) {
- if (!deflt && realms[i].name[0] == '*' && realms[i].name[1] == '\0')
- deflt = realms[i].server;
- else if (!strncasecmp(idrealm, realms[i].name, len)) {
- debug(DBG_DBG, "found matching realm: %s, host %s", realms[i].name, realms[i].server->peer.host);
- return realms[i].server;
- }
- }
- return deflt;
-#else
int i;
for (i = 0; i < realm_count; i++)
if (!regexec(&realms[i].regex, id, 0, NULL, 0)) {
@@ -1026,7 +1002,6 @@ struct server *id2server(char *id, uint8_t len) {
return realms[i].server;
}
return NULL;
-#endif
}
int rqinqueue(struct server *to, struct client *from, uint8_t id) {
@@ -1707,6 +1682,13 @@ void addrealm(char *value, char *server) {
if (i == server_count)
debugx(1, DBG_ERR, "addrealm failed, no server %s", server);
+ /* temporary warnings */
+ if (*value == '*')
+ debugx(1, DBG_ERR, "Regexps are now used for specifying realms, a string\nstarting with '*' is meaningless, you probably want '.*' for matching everything\nEXITING\n");
+ if (value[strlen(value) - 1] != '$' && value[strlen(value) - 1] != '*') {
+ debug(DBG_ERR, "Regexps are now used for specifying realms, you\nprobably want to rewrite this as e.g. '@example\\.com$' or '\\.com$'\nYou can even do things like '[a-n].*@example\\.com$' to make about half of the\nusers use this server. Note that the matching is case insensitive.\n");
+ sleep(3);
+ }
realm_count++;
realms = realloc(realms, realm_count * sizeof(struct realm));
if (!realms)
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index 62d5836..6e1c055 100644
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -33,6 +33,13 @@ TLSCertificateKeyPassword follow the white rabbit
#also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured.
+#Also note that case insensitive regexp is used for realms, matching
+#the entire username string. The matching is done in the order the
+#realms are specified, using the first match found. Some examples are
+#"@example\.com$", "\.com$", ".*" and "[a-z].*@example\.com$".
+#To treat local users separately you might try first specifying "@"
+#and after that ".*".
+
client 2001:db8::1 {
type tls
secret verysecret
@@ -50,7 +57,7 @@ server 127.0.0.1 {
type UDP
secret secret
}
-realm eduroam.cc {
+realm @eduroam\.cc$ {
server 127.0.0.1
}
@@ -64,16 +71,12 @@ server radius.example.com {
secret verysecret
}
-realm example.com {
+realm @example\.com$ {
server 2001:db8::1
}
-realm com {
+realm \.com$ {
server 2001:db8::1
}
-# Matching of realms is done in the order specified.
-# Except * which is a catch all that is used as a last resort
-# The matching is going to be changed to be regexp of the
-# entire username value
-realm * {
+realm .* {
server radius.example.com
}