>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> Yeah, when I talked about a sample policy I meant an unlang
>> policy. So, I'd expect the attr_filter rule to permit the
>> attribute, but to be commented out, and to include in a comment
>> instructions on where to enable the unlang policy.
Stefan> So you're saying you'd add the four attributes (or five, if
Stefan> you include SAML-AAA-Assertion) into a commented-out section
Stefan> in the pre-proxy/post-proxy attr_filter policy, include a
Stefan> comment to say "if you're using attr_filter, uncomment this
Stefan> section and also include the unlang policy (at
Stefan> /etc/raddb/policy.d/moonshot-policies for example) in your
Stefan> pre-proxy, post-proxy and post-auth sections"?
Stefan> If that's the case, that's fine by me.
Yes.
I could use help putting something together here that would serve as a
good example.
We'll have something for the managed RP service, but there it'll have a
bunch of LDAP goo and be a fairly complex config.
>> I don't follow that.
Stefan> I mean we should by default make sure that
Stefan> apc.moonshot.ja.net is excluded from any filtering,
Stefan> i.e. that it is by default in attr_filter and that if it is
Why do we want to exclude it from filtering?
|