1 .\" # DS - begin display
13 .TH rlm_policy 5 "7 December 2004" "" "FreeRADIUS Module"
15 rlm_policy \- FreeRADIUS Module
17 The \fBrlm_policy\fP module implements a simple "policy" language.
19 The policy language implemented by this module is simple, and specific
20 to RADIUS. It does not implement variables, arrays, loops, goto's, or
21 any other feature of a real language. If those features are needed
22 for your system, we suggest using \fBrlm_perl\fP.
24 What the policy module implements is a simple way to look for
25 attributes in the request packet (or other places), and to add
26 attributes to the reply packet (or other places) based on those
27 decisions. Where the module shines is that it is significantly more
28 flexible than the old-style \fBusers\fP file.
30 The module has one configuration item:
32 The file where the policy is stored.
36 The policy is composed of a series of named policies. The following
37 example defines a policy named "foo".
47 Policy names MAY NOT be the same as attributes in the dictionary.
48 Defining a policy with the same name as a dictionary attribute will
49 cause an error message to be printed, and the policy will not be
52 When the policy module is listed in a module section like "authorize",
53 the module calls a policy named "authorize". The "post-auth",
54 etc. sections behave the same. These names cannot be changed.
60 The filename must be in a double-quoted string, and is assumed to be
61 relative to the location of the current file. If the filename ends
62 with a '/', then it is assumed to be a directory, and all files in
63 that directory will be read.
69 All file in "dir/" will be read and included into the policy
70 definition. Any dot files (".", "..", etc.) will not be included,
73 .SS Including multiple files
74 The main file referred to from the \fIradiusd.conf\fP may include one
75 or more other files, as in the following example.
77 .SS Referencing a named policy
78 The following example references a named policy
82 While the brackets are required, no arguments may be passed.
85 "if" statements are supported.
113 } else if (expression) {
120 .SS Expressions within "if" statements
121 Always have to have brackets around them. Sorry.
123 The following kinds of expressions may be used, with their meanings.
124 .IP (attribute-reference)
125 TRUE if the referenced attribute exists, FALSE otherwise. See below
126 for details on attribute references.
128 FALSE if the expression returned TRUE, and TRUE if the nested expression
130 .IP "(attribute-reference == value)"
131 Compares the attribute to the value. The operators here can be "==",
132 "!=", "=~", "!~", "<", "<=", ">", and ">=".
133 .IP "(string1 == string2)"
134 A special case of the above. The "string1" is dynamically expanded at
135 run time, while "string2" is not. The operators here can be "==",
136 "!=", "=~",and "!~". Of these, the most useful is "=~', which lets
137 you do things like ("%{ldap:query...}" =~ "foo=(.*) "). The results
138 of the regular expression match are put into %{1}, and can be used
139 later. See "doc/variables.txt" for more information.
140 .IP "((expression1) || (expression2))"
141 Short-circuit "or". If expression1 is TRUE, expression2 is not
143 .IP "((expression1) && (expression2))"
144 Short-circuit "and". If expression1 is FALSE, expression2 is not
147 The && and || operators have equal precedence. You can't call a
148 function as a expression.
151 .SS Attribute references
152 Attribute references are:
154 Refers to an attribute of that name in the Access-Request or
155 Accounting-Request packet. May also refer to "server-side"
156 attributes, which are not documented anywhere.
157 .IP request:Attribute-Name
158 An alternate way of referencing an attribute in the request packet.
160 .IP reply:Attribute-Name
161 An attribute in the reply packet
163 .IP proxy-request:Attribute-Name
164 An attribute in the Access-Request or Accounting-Request packet which
165 will be proxied to the home server.
167 .IP proxy-reply:Attribute-Name
168 An attribute in the Access-Accept or other packet which was received
171 .IP control:Attribute-Name
172 An attribute in the per-request configuration and control attributes.
173 Also known as "check" attributes (doc/variables.txt).
176 .SS Adding attributes to reply packet (or other location)
179 attribute-name = value
183 attribute-name = value
188 The first name can be "request", "reply", "control", "proxy-request",
193 .= - appends attributes to end of the list
195 := - replaces existing list with the attributes in the list (bad idea)
197 = - use operators from "attribute = value" to decide what to do. (see "users")
199 The block must contain only attributes and values. Nothing else is permitted.
208 .I /etc/raddb/radiusd.conf
215 Alan DeKok <aland@ox.org>