6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * FIXME add copyrights
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
33 #ifdef HAVE_SYS_TYPES_H
34 #include <sys/types.h>
37 #ifdef HAVE_NETINET_IN_H
38 #include <netinet/in.h>
41 #include <freeradius-devel/radiusd.h>
42 #include <freeradius-devel/modules.h>
44 #define REALM_FORMAT_PREFIX 0
45 #define REALM_FORMAT_SUFFIX 1
47 typedef struct realm_config_t {
55 static CONF_PARSER module_config[] = {
56 { "format", PW_TYPE_STRING_PTR,
57 offsetof(realm_config_t,formatstring), NULL, "suffix" },
58 { "delimiter", PW_TYPE_STRING_PTR,
59 offsetof(realm_config_t,delim), NULL, "@" },
60 { "ignore_default", PW_TYPE_BOOLEAN,
61 offsetof(realm_config_t,ignore_default), NULL, "no" },
62 { "ignore_null", PW_TYPE_BOOLEAN,
63 offsetof(realm_config_t,ignore_null), NULL, "no" },
64 { NULL, -1, 0, NULL, NULL } /* end the list */
68 * Internal function to cut down on duplicated code.
70 * Returns -1 on failure, 0 on no failure. returnrealm
71 * is NULL on don't proxy, realm otherwise.
73 static int check_for_realm(void *instance, REQUEST *request, REALM **returnrealm)
75 char namebuf[MAX_STRING_LEN];
77 char *realmname = NULL;
82 struct realm_config_t *inst = instance;
84 /* initiate returnrealm */
87 if (request->packet->src_ipaddr.af != AF_INET) {
88 DEBUG2("rlm_realm: IPv6 is not supported!");
93 * If the request has a proxy entry, then it's a proxy
94 * reply, and we're walking through the module list again.
96 * In that case, don't bother trying to proxy the request
99 * Also, if there's no User-Name attribute, we can't
102 if ((request->proxy != NULL) ||
103 (request->username == NULL)) {
104 DEBUG2(" rlm_realm: Proxy reply, or no User-Name. Ignoring.");
109 * Check for 'Realm' attribute. If it exists, then we've proxied
110 * it already ( via another rlm_realm instance ) and should return.
113 if ( (vp = pairfind(request->packet->vps, PW_REALM)) != NULL ) {
114 DEBUG2(" rlm_realm: Request already proxied. Ignoring.");
119 * We will be modifing this later, so we want our own copy
122 strlcpy(namebuf, (char *)request->username->vp_strvalue, sizeof(namebuf));
128 case REALM_FORMAT_SUFFIX:
130 /* DEBUG2(" rlm_realm: Checking for suffix after \"%c\"", inst->delim[0]); */
131 realmname = strrchr(username, inst->delim[0]);
138 case REALM_FORMAT_PREFIX:
140 /* DEBUG2(" rlm_realm: Checking for prefix before \"%c\"", inst->delim[0]); */
142 ptr = strchr(username, inst->delim[0]);
146 realmname = username;
157 * Print out excruciatingly descriptive debugging messages
158 * for the people who find it too difficult to think about
162 DEBUG2(" rlm_realm: Looking up realm \"%s\" for User-Name = \"%s\"",
163 realmname, request->username->vp_strvalue);
165 if( inst->ignore_null ) {
166 DEBUG2(" rlm_realm: No '%c' in User-Name = \"%s\", skipping NULL due to config.",
167 inst->delim[0], request->username->vp_strvalue);
170 DEBUG2(" rlm_realm: No '%c' in User-Name = \"%s\", looking up realm NULL",
171 inst->delim[0], request->username->vp_strvalue);
175 * Allow DEFAULT realms unless told not to.
177 realm = realm_find(realmname);
179 DEBUG2(" rlm_realm: No such realm \"%s\"",
180 (realmname == NULL) ? "NULL" : realmname);
183 if( inst->ignore_default &&
184 (strcmp(realm->name, "DEFAULT")) == 0) {
185 DEBUG2(" rlm_realm: Found DEFAULT, but skipping due to config.");
190 DEBUG2(" rlm_realm: Found realm \"%s\"", realm->name);
193 * If we've been told to strip the realm off, then do so.
195 if (realm->striprealm) {
197 * Create the Stripped-User-Name attribute, if it
201 if (request->username->attribute != PW_STRIPPED_USER_NAME) {
202 vp = paircreate(PW_STRIPPED_USER_NAME, PW_TYPE_STRING);
204 radlog(L_ERR|L_CONS, "no memory");
207 pairadd(&request->packet->vps, vp);
208 DEBUG2(" rlm_realm: Adding Stripped-User-Name = \"%s\"", username);
210 vp = request->username;
211 DEBUG2(" rlm_realm: Setting Stripped-User-Name = \"%s\"", username);
214 strcpy(vp->vp_strvalue, username);
215 vp->length = strlen((char *)vp->vp_strvalue);
216 request->username = vp;
219 DEBUG2(" rlm_realm: Proxying request from user %s to realm %s",
220 username, realm->name);
223 * Add the realm name to the request.
225 pairadd(&request->packet->vps, pairmake("Realm", realm->name,
227 DEBUG2(" rlm_realm: Adding Realm = \"%s\"", realm->name);
230 * Figure out what to do with the request.
232 switch (request->packet->code) {
234 DEBUG2(" rlm_realm: Unknown packet code %d\n",
235 request->packet->code);
236 return 0; /* don't do anything */
239 * Perhaps accounting proxying was turned off.
241 case PW_ACCOUNTING_REQUEST:
242 if (!realm->acct_pool) {
243 DEBUG2(" rlm_realm: Accounting realm is LOCAL.");
249 * Perhaps authentication proxying was turned off.
251 case PW_AUTHENTICATION_REQUEST:
252 if (!realm->auth_pool) {
253 DEBUG2(" rlm_realm: Authentication realm is LOCAL.");
260 * If this request has arrived from another freeradius server
261 * that has already proxied the request, we don't need to do
264 vp = pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO);
270 * What the heck is this code doing, and why?
273 if (request->packet->code == PW_AUTHENTICATION_REQUEST &&
274 vp->lvalue == realm->home_auth->ipaddr.ipaddr.ip4addr.s_addr) {
275 DEBUG2(" rlm_realm: Request not proxied due to Freeradius-Proxied-To");
278 if (request->packet->code == PW_ACCOUNTING_REQUEST &&
279 vp->lvalue == realm->home_acct->ipaddr.ipaddr.ip4addr.s_addr) {
280 DEBUG2(" rlm_realm: Request not proxied due to Freeradius-Proxied-To");
287 * We got this far, which means we have a realm, set returnrealm
289 *returnrealm = realm;
294 * Add a "Proxy-To-Realm" attribute to the request.
296 static void add_proxy_to_realm(VALUE_PAIR **vps, REALM *realm)
301 * Tell the server to proxy this request to another
304 vp = pairmake("Proxy-To-Realm", realm->name, T_OP_EQ);
306 radlog(L_ERR|L_CONS, "no memory");
311 * Add it, even if it's already present.
317 * Perform the realm module instantiation. Configuration info is
318 * stored in *instance for later use.
321 static int realm_instantiate(CONF_SECTION *conf, void **instance)
323 struct realm_config_t *inst;
325 /* setup a storage area for instance data */
326 inst = rad_malloc(sizeof(*inst));
330 memset(inst, 0, sizeof(*inst));
332 if(cf_section_parse(conf, inst, module_config) < 0) {
337 if(strcasecmp(inst->formatstring, "suffix") == 0) {
338 inst->format = REALM_FORMAT_SUFFIX;
339 } else if(strcasecmp(inst->formatstring, "prefix") == 0) {
340 inst->format = REALM_FORMAT_PREFIX;
342 radlog(L_ERR, "Bad value \"%s\" for realm format value", inst->formatstring);
346 if(strlen(inst->delim) != 1) {
347 radlog(L_ERR, "Bad value \"%s\" for realm delimiter value", inst->delim);
362 * Examine a request for a username with an realm, and if it
363 * corresponds to something in the realms file, set that realm as
366 * This should very nearly duplicate the old proxy_send() code
368 static int realm_authorize(void *instance, REQUEST *request)
373 * Check if we've got to proxy the request.
374 * If not, return without adding a Proxy-To-Realm
377 if (check_for_realm(instance, request, &realm) < 0) {
378 return RLM_MODULE_FAIL;
381 return RLM_MODULE_NOOP;
385 * Maybe add a Proxy-To-Realm attribute to the request.
387 DEBUG2(" rlm_realm: Preparing to proxy authentication request to realm \"%s\"\n",
389 add_proxy_to_realm(&request->config_items, realm);
391 return RLM_MODULE_UPDATED; /* try the next module */
395 * This does the exact same thing as the realm_authorize, it's just called
398 static int realm_preacct(void *instance, REQUEST *request)
400 const char *name = (char *)request->username->vp_strvalue;
404 return RLM_MODULE_OK;
408 * Check if we've got to proxy the request.
409 * If not, return without adding a Proxy-To-Realm
412 if (check_for_realm(instance, request, &realm) < 0) {
413 return RLM_MODULE_FAIL;
416 return RLM_MODULE_NOOP;
421 * Maybe add a Proxy-To-Realm attribute to the request.
423 DEBUG2(" rlm_realm: Preparing to proxy accounting request to realm \"%s\"\n",
425 add_proxy_to_realm(&request->config_items, realm);
427 return RLM_MODULE_UPDATED; /* try the next module */
430 static int realm_detach(void *instance)
432 struct realm_config_t *inst = instance;
437 /* globally exported name */
438 module_t rlm_realm = {
441 0, /* type: reserved */
442 realm_instantiate, /* instantiation */
443 realm_detach, /* detach */
445 NULL, /* authentication */
446 realm_authorize, /* authorization */
447 realm_preacct, /* preaccounting */
448 NULL, /* accounting */
449 NULL, /* checksimul */
450 NULL, /* pre-proxy */
451 NULL, /* post-proxy */