Section 3.30. <Realm realmname>

3.30. <Realm realmname>

Note

We recommend using Handler clauses for all new configurations. Handlers provide more flexibility for defining how to match requests and make future configuration changes easier to manage.

Note

Using both Realms and Handlers in the same configuration is allowed but may make the Realm/Handler selection hard to understand. For more information, see Section 3.31. <Handler attribute=value,attribute=value, ....>.

A Realm can be easily converted to a Handler. For example: <Realm example.com> becomes

<Handler
                  Realm=example.com>

and

<Realm
                  /\.example\.com$/>

becomes

<Handler
                  Realm=/\.example\.com$/>

. The closing </Realm> must also be changed to </Handler>.

The beginning of a Realm clause. The clause continues until </Realm> is seen on a line. A Realm clause specifies a single RADIUS realm that this server will service. A realm is the part of the users login name that follows the ‘@’ sign. For example if a user logs in as “mikem@open.com.au”, then “open.com.au” is the realm. All requests from all users with the realm named in the

<Realm
                  realmname>

line will be handled in the way specified by the rest of the Realm clause. You can configure one or more realms into your server, possibly with a different AuthBy authentication method for each.

The realmname can be either an exact realm name or it can be a Perl regular expression (regexp) including the opening and closing slashes that will match zero or more realms. You can also use the ‘x’ and ‘i’ modifiers. If you use a regexp, you should be very careful to check that you regexp will match only those realms you mean it to. Consult your Perl reference manual for more information on writing Perl regexps.

If you omit the realm name from the <Realm> line, the clause will match requests with a NULL realm (i.e. where the user did not enter a realm-qualified user name, such as a bare “fred” or “alice”).

When Radiator looks for a <Realm realmname> clause to match an incoming request, it first looks for an exact match with the Realm name. If no match is found, it will try to do a regexp match against Realm names that look like regexps (i.e. have slashes at each end). If still no match, it looks for a Realm called DEFAULT. If still no match, it logs an error and ignores (i.e. does not reply to) the request. For more information about exceptions, see Section 3.31. <Handler attribute=value,attribute=value, ....>.

The special DEFAULT realm (if it is defined) will be used to handle requests from users in realms for which there is no other matching Realm clause.

# Handle requests with no realm with UNIX,
# from user@open.com.au with SQL
# from any realm ending in .au by forwarding
# and from any other realm with DBFILE
<Realm>
      <AuthBy UNIX>
            .....
      </AuthBy>
</Realm>
<Realm open.com.au>
      <AuthBy SQL>
            ......
      </AuthBy>
</Realm>

# Any realm ending in .au
<Realm /.*\.au/>
      <AuthBy RADIUS>
            .....
      </AuthBy>
</Realm>

# Any realm ending in .au, .AU, .Au, .aU (ie its case 
# insensitive)
<Realm /.*\.au/i>
      <AuthBy RADIUS>
            .....
      </AuthBy>
</Realm>

# Any other realm
<Realm DEFAULT>
      <AuthBy DBFILE>
            .......
      </AuthBy>
</Realm>

A <Realm> is a special type of <Handler>, and you can use all the same parameters that are described in Section 3.31. <Handler attribute=value,attribute=value, ....>. However, you can only use realms for selecting the requests. This will not work: <Realm example.com, Client-Identifier=mynas>.