That's not how the attr_filter module works.
The filter works on a realm-basis only, i.e. if it is from this realm (and if the realm does not exist in the filter, the DEFAULT section matches), let the attribute pass, if not, strip it from the request/reply. If you want to do more advanced processing, you let the attribute pass, and then write unlang statements to either remove it or leave it in the reply (or request), or don't use attr_filter at all.
So yeah, for apc.moonshot.ja.net I would say the least we should do is provide this as standard, since Adam has pointed out that *any* RADIUS request/reply to/from the APC must be left alone.
Stefan
-----Original Message-----
From: Sam Hartman [mailto:[log in to unmask]]
Sent: 07 July 2014 14:04
To: Stefan Paetow
Cc: [log in to unmask]
Subject: Re: attr_filter in FreeRADIUS + GSS-Acceptor-* attributes
You still need to do the checks (at least for host-name and service) even if the realm is on the trust-router.
You *should* do the realm check, although the damage that can be done if you do not will be minimal.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|