1rlm_policy(5) FreeRADIUS Module rlm_policy(5)
2
6 rlm_policy - FreeRADIUS Module
7
9 The rlm_policy module implements a simple "policy" language.
10 The policy language implemented by this module is simple, and specific
12 to RADIUS. It does not implement variables, arrays, loops, goto's, or
13 any other feature of a real language. If those features are needed for
14 your system, we suggest using rlm_perl.
15 What the policy module implements is a simple way to look for
17 attributes in the request packet (or other places), and to add
18 attributes to the reply packet (or other places) based on those deci‐
19 sions. Where the module shines is that it is significantly more flexi‐
20 ble than the old-style users file.
21 The module has one configuration item:
23 filename
25 The file where the policy is stored.
26
29 Named policies
30 The policy is composed of a series of named policies. The following
31 example defines a policy named "foo".
32 policy foo {
34 ...
35 }
36 Policy names MAY NOT be the same as attributes in the dictionary.
38 Defining a policy with the same name as a dictionary attribute will
39 cause an error message to be printed, and the policy will not be
40 loaded.
41 When the policy module is listed in a module section like "authorize",
43 the module calls a policy named "authorize". The "post-auth", etc.
44 sections behave the same. These names cannot be changed.
45 include "policy.txt"
47 The filename must be in a double-quoted string, and is assumed to be
49 relative to the location of the current file. If the filename ends
50 with a '/', then it is assumed to be a directory, and all files in that
51 directory will be read.
52 include "dir/"
54 All file in "dir/" will be read and included into the policy defini‐
56 tion. Any dot files (".", "..", etc.) will not be included, however.
57 Including multiple files
59 The main file referred to from the radiusd.conf may include one or more
60 other files, as in the following example.
61 Referencing a named policy
63 The following example references a named policy foo() While the
64 brackets are required, no arguments may be passed.
65 Conditions
67 "if" statements are supported.
68 if (expression) {
70 ...
71 }
72 and "else"
74 if (expression) {
76 ...
77 } else {
78 ...
79 }
80 also, "else if"
82 if (expression) {
84 ...
85 } else if (expression) {
86 ...
87 }
88 Expressions within if statements
90 Always have to have brackets around them. Sorry.
91 The following kinds of expressions may be used, with their meanings.
93 (attribute-reference)
95 TRUE if the referenced attribute exists, FALSE otherwise. See
96 below for details on attribute references.
97 (!(expression))
99 FALSE if the expression returned TRUE, and TRUE if the nested
100 expression returned FALSE.
101 (attribute-reference == value)
103 Compares the attribute to the value. The operators here can be
104 "==", "!=", "=~", "!~", "<", "<=", ">", and ">=".
105 (string1 == string2)
107 A special case of the above. The "string1" is dynamically
108 expanded at run time, while "string2" is not. The operators
109 here can be "==", "!=", "=~",and "!~". Of these, the most use‐
110 ful is "=~', which lets you do things like ("%{ldap:query...}"
111 =~ "foo=(.*) "). The results of the regular expression match
112 are put into %{1}, and can be used later. See "doc/vari‐
113 ables.txt" for more information.
114 ((expression1) || (expression2))
116 Short-circuit "or". If expression1 is TRUE, expression2 is not
117 evaluated.
118 ((expression1) && (expression2))
120 Short-circuit "and". If expression1 is FALSE, expression2 is
121 not evaluated.
122 Limitations.
124 The && and || operators have equal precedence. You can't call a
125 function as a expression.
126 Attribute references
128 Attribute references are:
129 Attribute-Name
131 Refers to an attribute of that name in the Access-Request or
132 Accounting-Request packet. May also refer to "server-side"
133 attributes, which are not documented anywhere.
134 request:Attribute-Name
136 An alternate way of referencing an attribute in the request
137 packet.
138 reply:Attribute-Name
140 An attribute in the reply packet
141 proxy-request:Attribute-Name
143 An attribute in the Access-Request or Accounting-Request packet
144 which will be proxied to the home server.
145 proxy-reply:Attribute-Name
147 An attribute in the Access-Accept or other packet which was
148 received from a home server.
149 control:Attribute-Name
151 An attribute in the per-request configuration and control
152 attributes. Also known as "check" attributes (doc/vari‐
153 ables.txt).
154 Adding attributes to reply packet (or other location)
156 reply .= {
157 attribute-name = value
158 ...
159 attribute-name = value
160 }
161 The first name can be "request", "reply", "control", "proxy-request",
163 or "proxy-reply".
164 The operator can be
166 .= - appends attributes to end of the list
168 := - replaces existing list with the attributes in the list (bad idea)
170 = - use operators from "attribute = value" to decide what to do. (see
172 "users")
173 The block must contain only attributes and values. Nothing else is
175 permitted.
176
179 authorize post-auth pre-proxy post-proxy
180
182 /etc/raddb/radiusd.conf
183
185 radiusd(8), users(5), radiusd.conf(5)
186
188 Alan DeKok <aland@ox.org>
189 7 December 2004 rlm_policy(5)