| # |
| # Example of forbidding all attempts to login via |
| # realms. |
| # |
| deny_realms { |
| if (User-Name =~ /@|\\/) { |
| reject |
| } |
| } |
| |
| # |
| # Filter the username |
| # |
| # Force some sanity on User-Name. This helps to avoid issues |
| # issues where the back-end database is "forgiving" about |
| # what constitutes a user name. |
| # |
| filter_username { |
| # |
| # reject mixed case |
| # e.g. "UseRNaMe" |
| # |
| if (User-Name != "%{tolower:%{User-Name}}") { |
| reject |
| } |
| |
| # |
| # reject all whitespace |
| # e.g. "user@ site.com", or "us er", or " user", or "user " |
| # |
| if (User-Name =~ / /) { |
| update reply { |
| Reply-Message += "Rejected: Username contains whitespace" |
| } |
| reject |
| } |
| |
| # |
| # reject Multiple @'s |
| # e.g. "user@site.com@site.com" |
| # |
| if(User-Name =~ /@.*@/ ) { |
| update reply { |
| Reply-Message += "Rejected: Multiple @ in username" |
| } |
| reject |
| } |
| |
| # |
| # reject double dots |
| # e.g. "user@site..com" |
| # |
| if (User-Name =~ /\\.\\./ ) { |
| update reply { |
| Reply-Message += "Rejected: Username contains ..s" |
| } |
| reject |
| } |
| |
| # |
| # must have at least 1 string-dot-string after @ |
| # e.g. "user@site.com" |
| # |
| if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { |
| update reply { |
| Reply-Message += "Rejected: Realm does not have at least one dot separator" |
| } |
| reject |
| } |
| |
| # |
| # Realm ends with a dot |
| # e.g. "user@site.com." |
| # |
| if (User-Name =~ /\\.$/) { |
| update reply { |
| Reply-Message += "Rejected: Realm ends with a dot" |
| } |
| reject |
| } |
| |
| # |
| # Realm begins with a dot |
| # e.g. "user@.site.com" |
| # |
| if (User-Name =~ /@\\./) { |
| update reply { |
| Reply-Message += "Rejected: Realm begins with a dot" |
| } |
| reject |
| } |
| } |
| |