[Serdev] auth_radius module problems in pre39
Maxim Sobolev
sobomax at portaone.com
Sat Jul 12 10:40:29 UTC 2003
Jan Janak wrote:
> On 12-07 01:18, Maxim Sobolev wrote:
>
>>Operating system is FreeBSD 4.8. Please let me know what else do you
>>need for debugging.
>
>
> And architecture ? ia32 ?
Yes.
>>> Do you mean that To or From domain name is compared to realm ? This
>>> comparison was introduced by Juha for multi-domain support. A request
>>> must have To or From (depending on request type) domain same as the
>>> digest realm value. The reason for this check is that a proxy can
>>> handle multiple domain concurrently, in that case it is good to check
>>> the domain and realm, otherwise users might use their credentials for
>>> realm A to get access to realm B even if they have no credentials for
>>> realm B.
>>
>>I see your point, but for single realm configurations can we provide a
>>config option which will disable this check?
>
>
> Yes, we can make it a configurable option, but is that really
> necessary ? I mean, the realm is just a string that should be
> displayed to the user and that the proxy uses to find the
> corresponding credentials.
>
> Before I make it a configurable option, what exactly do you need to
> achieve that it is not possible with the check ?
It places strict restriction on what domain an UA can place into
otherwise unimportant From/To header field, which can hurt in some cases.
-Maxim
More information about the Serdev
mailing list