# Only the "authorize" section is needed.
#
authorize {
- if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
- reject
- }
- if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
- update control {
- &Chbind-Response-Code := success
- }
-
- #
- # ACK the attributes in the request.
- #
- # If any one of these attributes don't exist in the request,
- # then they won't be copied to the reply.
- #
- update reply {
- &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
- &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
- &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
- }
- }
-
- #
- # Return "handled" so that the "authenticate" section isn't used.
- #
- handled
-}
+ #In general this section should include a policy for each type
+ # of channel binding that may be in use. For example each lower
+ # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to
+ # need a separate channel binding policy.
+ abfab_channel_bindings
}
- }
ATTRIBUTE UKERNA-GSS-Acceptor-Host-Name 129 string
ATTRIBUTE UKERNA-GSS-Acceptor-Service-Specific 130 string
ATTRIBUTE UKERNA-GSS-Acceptor-Realm-Name 131 string
-ATTRIBUTE SAML-AAA-Assertion 132 string
-ATTRIBUTE EAP-Channel-Binding-Message 135 octets
+ATTRIBUTE SAML-AAA-Assertion 132 string
+ATTRIBUTE MS-Windows-Auth-Data 133 octets
+ATTRIBUTE MS-Windows-Group-Sid 134 string
+ATTRIBUTE EAP-Channel-Binding-Message 135 octets
+ATTRIBUTE Trust-Router-COI 136 string
+ATTRIBUTE Trust-Router-APC 137 string
- attribute Moonshot-Host-TargetedId 138 string
- attribute Moonshot-Realm-TargetedId 139 string
- attribute Moonshot-TR-COI-TargetedId 140 string
++ATTRIBUTE Moonshot-Host-TargetedId 138 string
++ATTRIBUTE Moonshot-Realm-TargetedId 139 string
++ATTRIBUTE Moonshot-TR-COI-TargetedId 140 string
END-VENDOR UKERNA
void realms_free(void);
REALM *realm_find(char const *name); /* name is from a packet */
REALM *realm_find2(char const *name); /* ... with name taken from realm_find */
+ void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs);
int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual);
+void realm_home_server_sanitize( home_server_t *home, CONF_SECTION *cs);
int realm_pool_add(home_pool_t *pool, CONF_SECTION *cs);
+ void realm_pool_free(home_pool_t *pool);
int realm_realm_add( REALM *r, CONF_SECTION *cs);
void home_server_update_request(home_server_t *home, REQUEST *request);
return realm_home_server_add(home, cs, dual);
}
- void realm_home_server_sanitize(home_server_t *home,
- CONF_SECTION *cs)
- {
- CONF_SECTION *parent = NULL;
- FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, >=, 8);
- FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, <=, 65536*16);
-
- FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, >=, 6);
- FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, <=, 120);
-
- FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, >=, 0, 1000);
- FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=, 60, 0);
- FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=,
- main_config.max_request_time, 0);
-
- FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, >=, 1);
- FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, <=, 1000);
-
- /*
- * Track the minimum response window, so that we can
- * correctly set the timers in process.c
- */
- if (timercmp(&main_config.init_delay, &home->response_window, >)) {
- main_config.init_delay = home->response_window;
- }
-
- FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, 1);
- FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, <=, 120);
- FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, (uint32_t) home->response_window.tv_sec);
-
- FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, >=, 3);
- FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, <=, 10);
-
- FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, >=, 1);
- FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, <=, 10);
-
- FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, >=, 60);
- FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, <=, 3600);
-
- #ifdef WITH_COA
- FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, >=, 1);
- FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, <=, 5);
-
- FR_INTEGER_BOUND_CHECK("coa_mrc", home->coa_mrc, <=, 20);
-
- FR_INTEGER_BOUND_CHECK("coa_mrt", home->coa_mrt, <=, 30);
-
- FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, >=, 5);
- FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, <=, 60);
- #endif
-
- FR_INTEGER_BOUND_CHECK("max_connections", home->limit.max_connections, <=, 1024);
-
- #ifdef WITH_TCP
- /*
- * UDP sockets can't be connection limited.
- */
- if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
- #endif
-
- if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
- home->limit.idle_timeout = 5;
- if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
- home->limit.lifetime = 5;
- if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
- home->limit.idle_timeout = 0;
-
- parent = cf_item_parent(cf_sectiontoitem(cs));
- if (parent && strcmp(cf_section_name1(parent), "server") == 0) {
- home->parent_server = cf_section_name2(parent);
- }
-
- }
--
int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual)
{
const char *name2 = home->name;
TARGET := rlm_realm.a
- SOURCES := rlm_realm.c trustrouter_integ.c
- TGT_LDLIBS := -ltr_tid
+ SOURCES := rlm_realm.c
+
+ #TRUSTROUTER = yes
+
+ ifneq "$(TRUSTROUTER)" ""
+ SRC_CFLAGS += -I /path/to/moonshot/include/ -D HAVE_TRUST_ROUTER_TR_DH_H
+ TGT_LDLIBS += -ltr_tid
+ SOURCES += trustrouter.c
+ endif
++
char const *delim;
bool ignore_default;
bool ignore_null;
- char const *default_community;
- char const *rp_realm;
- char const *trust_router;
- unsigned int tr_port;
-
+ #ifdef HAVE_TRUST_ROUTER_TR_DH_H
+ char const *default_community;
+ char const *rp_realm;
+ char const *trust_router;
+ uint32_t tr_port;
+ #endif
} realm_config_t;
+#define stringify(s) #s
+
static CONF_PARSER module_config[] = {
{ "format", FR_CONF_OFFSET(PW_TYPE_STRING, realm_config_t, format_string), "suffix" },
{ "delimiter", FR_CONF_OFFSET(PW_TYPE_STRING, realm_config_t, delim), "@" },
const home_pool_t *pool;
int i;
const home_server_t *server;
- time_t now = time(0);
- if (!r->auth_pool)
- return 0; /*not ours*/
+ time_t now = time(NULL);
+
+ /*
+ * No pool. Not our realm.
+ */
+ if (!r->auth_pool) return false;
+
pool = r->auth_pool;
- for (i = 0; i < pool->num_home_servers; i++) {w
+
+ for (i = 0; i < pool->num_home_servers; i++) {
server = pool->servers[i];
- if (server->cs)
- return 0; /*we didn't allocate this*/
- if ((server->last_packet_recv > now+5)
- ||(server->last_failed_open > now+5))
- continue; /*nonsensical values*/
- /*If any server has received a packet in the last 5 minutes then we don't need an update*/
- if (now - server->last_packet_recv < 300)
- return 0;
- /*If we haven't had a failed open to this server in the last 10 minutes, then try an open rather than an update*/
- if (now - server->last_failed_open > 600)
- return 0;
+
+ /*
+ * The realm was loaded from the configuration
+ * files.
+ */
+ if (server->cs) return false;
+
+ /*
+ * These values don't make sense.
+ */
+ if ((server->last_packet_recv > (now + 5)) ||
+ (server->last_failed_open > (now + 5))) {
+ continue;
+ }
+
+ /*
+ * This server has received a packet in the last
+ * 5 minutes. It doesn't need an update.
+ */
+ if ((now - server->last_packet_recv) < 300) {
+ return false;
+ }
+
+ /*
+ * If we've opened in the last 10 minutes, then
+ * open rather than update.
+ */
+ if ((now - server->last_failed_open) > 600) {
+ return false;
+ }
}
- return 1;
- }
+ return true;
+ }
+
- REALM *tr_query_realm(const char *q_realm,
- const char *q_community,
- const char *q_rprealm,
- const char *q_trustrouter,
- unsigned int q_trport)
+ REALM *tr_query_realm(char const *realm,
+ char const *community,
+ char const *rprealm,
+ char const *trustrouter,
+ unsigned int port)
{
int conn = 0;
- int rc;
+ int rcode;
gss_ctx_id_t gssctx;
struct resp_opaque cookie;