1 .TH rlm_policy 5 "7 December 2004" "" "FreeRADIUS Module"
3 rlm_policy \- FreeRADIUS Module
5 The \fBrlm_policy\fP module implements a simple "policy" language.
7 The policy language implemented by this module is simple, and specific
8 to RADIUS. It does not implement variables, arrays, loops, goto's, or
9 any other feature of a real language. If those features are needed
10 for your system, we suggest using \fBrlm_perl\fP.
12 What the policy module implements is a simple way to look for
13 attributes in the request packet (or other places), and to add
14 attributes to the reply packet (or other places) based on those
15 decisions. Where the module shines is that it is significantly more
16 flexible than the old-style \fBusers\fP file.
18 The module has one configuration item:
20 The file where the policy is stored.
24 The policy is composed of a series of named policies. The following
25 example defines a policy named "foo".
35 Policy names MAY NOT be the same as attributes in the dictionary.
36 Defining a policy with the same name as a dictionary attribute will
37 cause an error message to be printed, and the policy will not be
40 When the policy module is listed in a module section like "authorize",
41 the module calls a policy named "authorize". The "post-auth",
42 etc. sections behave the same. These names cannot be changed.
48 The filename must be in a double-quoted string, and is assumed to be
49 relative to the location of the current file. If the filename ends
50 with a '/', then it is assumed to be a directory, and all files in
51 that directory will be read.
57 All file in "dir/" will be read and included into the policy
58 definition. Any dot files (".", "..", etc.) will not be included,
61 .SS Including multiple files
62 The main file referred to from the \fIradiusd.conf\fP may include one
63 or more other files, as in the following example.
65 .SS Referencing a named policy
66 The following example references a named policy
70 While the brackets are required, no arguments may be passed.
73 "if" statements are supported.
101 } else if (expression) {
108 .SS Expressions within "if" statements
109 Always have to have brackets around them. Sorry.
111 The following kinds of expressions may be used, with their meanings.
112 .IP (attribute-reference)
113 TRUE if the referenced attribute exists, FALSE otherwise. See below
114 for details on attribute references.
116 FALSE if the expression returned TRUE, and TRUE if the nested expression
118 .IP "(attribute-reference == value)"
119 Compares the attribute to the value. The operators here can be "==",
120 "!=", "=~", "!~", "<", "<=", ">", and ">=".
121 .IP "(string1 == string2)"
122 A special case of the above. The "string1" is dynamically expanded at
123 run time, while "string2" is not. The operators here can be "==",
124 "!=", "=~",and "!~". Of these, the most useful is "=~', which lets
125 you do things like ("%{ldap:query...}" =~ "foo=(.*) "). The results
126 of the regular expression match are put into %{1}, and can be used
127 later. See "doc/variables.txt" for more information.
128 .IP "((expression1) || (expression2))"
129 Short-circuit "or". If expression1 is TRUE, expression2 is not
131 .IP "((expression1) && (expression2))"
132 Short-circuit "and". If expression1 is FALSE, expression2 is not
135 The && and || operators have equal precedence. You can't call a
136 function as a expression.
139 .SS Attribute references
140 Attribute references are:
142 Refers to an attribute of that name in the Access-Request or
143 Accounting-Request packet. May also refer to "server-side"
144 attributes, which are not documented anywhere.
145 .IP request:Attribute-Name
146 An alternate way of referencing an attribute in the request packet.
148 .IP reply:Attribute-Name
149 An attribute in the reply packet
151 .IP proxy-request:Attribute-Name
152 An attribute in the Access-Request or Accounting-Request packet which
153 will be proxied to the home server.
155 .IP proxy-reply:Attribute-Name
156 An attribute in the Access-Accept or other packet which was received
159 .IP control:Attribute-Name
160 An attribute in the per-request configuration and control attributes.
161 Also known as "check" attributes (doc/variables.txt).
164 .SS Adding attributes to reply packet (or other location)
167 attribute-name = value
171 attribute-name = value
176 The first name can be "request", "reply", "control", "proxy-request",
181 .= - appends attributes to end of the list
183 := - replaces existing list with the attributes in the list (bad idea)
185 = - use operators from "attribute = value" to decide what to do. (see "users")
187 The block must contain only attributes and values. Nothing else is permitted.
196 .I /etc/raddb/radiusd.conf
203 Alan DeKok <aland@ox.org>