I believe there is a bug here, just not the one that Stefan believes exists :)
I think that rlm_realm should be returning reject in the event of a failure to locate a realm, rather than noop - otherwise an RP-proxy will start trying to terminate EAP tunnels.
This is undesirable behaviour for the realm module in general though - this would probably need to be implemented as a toggle, defaulting to noop, i.e.:
realm suffix {
# ...
reject_on_notfound = yes
}
realm IPASS {
# reject_on_notfound = no
}
This could also be done in unlang (something like this?):
suffix {
noop = reject
}
Regards,
Adam Bishop
Systems Development Specialist
gpg: 0x6609D460
t: +44 (0)1235 822 245
xmpp: [log in to unmask]
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|