Commit 9eebebe0 authored by venaas's avatar venaas Committed by venaas

now uses regexp for realms including warnings that will be removed later

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@96 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent b1cf2a9a
...@@ -995,30 +995,6 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, ...@@ -995,30 +995,6 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
} }
struct server *id2server(char *id, uint8_t len) { struct server *id2server(char *id, uint8_t len) {
#ifndef REGEXP
int i;
char *idrealm;
struct server *deflt = NULL;
idrealm = strchr(id, '@');
if (idrealm) {
idrealm++;
len -= idrealm - id;
} else {
idrealm = "-";
len = 1;
}
for (i = 0; i < realm_count; i++) {
if (!deflt && realms[i].name[0] == '*' && realms[i].name[1] == '\0')
deflt = realms[i].server;
else if (!strncasecmp(idrealm, realms[i].name, len)) {
debug(DBG_DBG, "found matching realm: %s, host %s", realms[i].name, realms[i].server->peer.host);
return realms[i].server;
}
}
return deflt;
#else
int i; int i;
for (i = 0; i < realm_count; i++) for (i = 0; i < realm_count; i++)
if (!regexec(&realms[i].regex, id, 0, NULL, 0)) { if (!regexec(&realms[i].regex, id, 0, NULL, 0)) {
...@@ -1026,7 +1002,6 @@ struct server *id2server(char *id, uint8_t len) { ...@@ -1026,7 +1002,6 @@ struct server *id2server(char *id, uint8_t len) {
return realms[i].server; return realms[i].server;
} }
return NULL; return NULL;
#endif
} }
int rqinqueue(struct server *to, struct client *from, uint8_t id) { int rqinqueue(struct server *to, struct client *from, uint8_t id) {
...@@ -1707,6 +1682,13 @@ void addrealm(char *value, char *server) { ...@@ -1707,6 +1682,13 @@ void addrealm(char *value, char *server) {
if (i == server_count) if (i == server_count)
debugx(1, DBG_ERR, "addrealm failed, no server %s", server); debugx(1, DBG_ERR, "addrealm failed, no server %s", server);
/* temporary warnings */
if (*value == '*')
debugx(1, DBG_ERR, "Regexps are now used for specifying realms, a string\nstarting with '*' is meaningless, you probably want '.*' for matching everything\nEXITING\n");
if (value[strlen(value) - 1] != '$' && value[strlen(value) - 1] != '*') {
debug(DBG_ERR, "Regexps are now used for specifying realms, you\nprobably want to rewrite this as e.g. '@example\\.com$' or '\\.com$'\nYou can even do things like '[a-n].*@example\\.com$' to make about half of the\nusers use this server. Note that the matching is case insensitive.\n");
sleep(3);
}
realm_count++; realm_count++;
realms = realloc(realms, realm_count * sizeof(struct realm)); realms = realloc(realms, realm_count * sizeof(struct realm));
if (!realms) if (!realms)
......
...@@ -33,6 +33,13 @@ TLSCertificateKeyPassword follow the white rabbit ...@@ -33,6 +33,13 @@ TLSCertificateKeyPassword follow the white rabbit
#also the lines above may be in any order, except that a realm #also the lines above may be in any order, except that a realm
#can only be configured to use a server that is previously configured. #can only be configured to use a server that is previously configured.
#Also note that case insensitive regexp is used for realms, matching
#the entire username string. The matching is done in the order the
#realms are specified, using the first match found. Some examples are
#"@example\.com$", "\.com$", ".*" and "[a-z].*@example\.com$".
#To treat local users separately you might try first specifying "@"
#and after that ".*".
client 2001:db8::1 { client 2001:db8::1 {
type tls type tls
secret verysecret secret verysecret
...@@ -50,7 +57,7 @@ server 127.0.0.1 { ...@@ -50,7 +57,7 @@ server 127.0.0.1 {
type UDP type UDP
secret secret secret secret
} }
realm eduroam.cc { realm @eduroam\.cc$ {
server 127.0.0.1 server 127.0.0.1
} }
...@@ -64,16 +71,12 @@ server radius.example.com { ...@@ -64,16 +71,12 @@ server radius.example.com {
secret verysecret secret verysecret
} }
realm example.com { realm @example\.com$ {
server 2001:db8::1 server 2001:db8::1
} }
realm com { realm \.com$ {
server 2001:db8::1 server 2001:db8::1
} }
# Matching of realms is done in the order specified. realm .* {
# Except * which is a catch all that is used as a last resort
# The matching is going to be changed to be regexp of the
# entire username value
realm * {
server radius.example.com server radius.example.com
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment