Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # |
| 2 | # Example of forbidding all attempts to login via |
| 3 | # realms. |
| 4 | # |
| 5 | deny_realms { |
| 6 | if (User-Name =~ /@|\\/) { |
| 7 | reject |
| 8 | } |
| 9 | } |
| 10 | |
| 11 | # |
| 12 | # Filter the username |
| 13 | # |
| 14 | # Force some sanity on User-Name. This helps to avoid issues |
| 15 | # issues where the back-end database is "forgiving" about |
| 16 | # what constitutes a user name. |
| 17 | # |
| 18 | filter_username { |
| 19 | # |
| 20 | # reject mixed case |
| 21 | # e.g. "UseRNaMe" |
| 22 | # |
| 23 | if (User-Name != "%{tolower:%{User-Name}}") { |
| 24 | reject |
| 25 | } |
| 26 | |
| 27 | # |
| 28 | # reject all whitespace |
| 29 | # e.g. "user@ site.com", or "us er", or " user", or "user " |
| 30 | # |
| 31 | if (User-Name =~ / /) { |
| 32 | update reply { |
| 33 | Reply-Message += "Rejected: Username contains whitespace" |
| 34 | } |
| 35 | reject |
| 36 | } |
| 37 | |
| 38 | # |
| 39 | # reject Multiple @'s |
| 40 | # e.g. "user@site.com@site.com" |
| 41 | # |
| 42 | if(User-Name =~ /@.*@/ ) { |
| 43 | update reply { |
| 44 | Reply-Message += "Rejected: Multiple @ in username" |
| 45 | } |
| 46 | reject |
| 47 | } |
| 48 | |
| 49 | # |
| 50 | # reject double dots |
| 51 | # e.g. "user@site..com" |
| 52 | # |
| 53 | if (User-Name =~ /\\.\\./ ) { |
| 54 | update reply { |
| 55 | Reply-Message += "Rejected: Username contains ..s" |
| 56 | } |
| 57 | reject |
| 58 | } |
| 59 | |
| 60 | # |
| 61 | # must have at least 1 string-dot-string after @ |
| 62 | # e.g. "user@site.com" |
| 63 | # |
| 64 | if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { |
| 65 | update reply { |
| 66 | Reply-Message += "Rejected: Realm does not have at least one dot separator" |
| 67 | } |
| 68 | reject |
| 69 | } |
| 70 | |
| 71 | # |
| 72 | # Realm ends with a dot |
| 73 | # e.g. "user@site.com." |
| 74 | # |
| 75 | if (User-Name =~ /\\.$/) { |
| 76 | update reply { |
| 77 | Reply-Message += "Rejected: Realm ends with a dot" |
| 78 | } |
| 79 | reject |
| 80 | } |
| 81 | |
| 82 | # |
| 83 | # Realm begins with a dot |
| 84 | # e.g. "user@.site.com" |
| 85 | # |
| 86 | if (User-Name =~ /@\\./) { |
| 87 | update reply { |
| 88 | Reply-Message += "Rejected: Realm begins with a dot" |
| 89 | } |
| 90 | reject |
| 91 | } |
| 92 | } |
| 93 | |