notes on case sensitivity

author Alan T. DeKok <aland@freeradius.org>

Thu, 31 Dec 2015 00:53:17 +0000 (19:53 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)
author Alan T. DeKok <aland@freeradius.org>
Thu, 31 Dec 2015 00:53:17 +0000 (19:53 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)
diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter

index 0121f29..b35bd59 100644 (file)
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -169,6 +169,13 @@ filter_inner_identity {
                 #  the outer one is "example.com" and the inner
                 #  is "secure.example.com"
                 #
+               #  Note that we do EQUALITY checks for realm names.
+               #  There is no simple way to do case insensitive checks
+               #  on internationalized domain names.  On top of that,
+               #  allowing outer "anonymous@EXAMPLE.COM" and inner
+               #  "user@example.com" is just stupid.  The user should
+               #  enter the same realm for both inner and outer identities.
+               #
                 if (&Inner-Realm-Name && &Outer-Realm-Name && \
                     (&Inner-Realm-Name != &Outer-Realm-Name) && \
                     (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 31 Dec 2015 00:53:17 +0000 (19:53 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 31 Dec 2015 00:53:42 +0000 (19:53 -0500)