.\" # DS - begin display
.de DS
.RS
.nf
.sp
..
.\" # DE - end display
.de DE
.fi
.RE
.sp
..
.TH rlm_policy 5 "7 December 2004" "" "FreeRADIUS Module"
.SH NAME
rlm_policy \- FreeRADIUS Module
.SH DESCRIPTION
The \fBrlm_policy\fP module implements a simple "policy" language.
.PP
The policy language implemented by this module is simple, and specific
to RADIUS. It does not implement variables, arrays, loops, goto's, or
any other feature of a real language. If those features are needed
for your system, we suggest using \fBrlm_perl\fP.
.PP
What the policy module implements is a simple way to look for
attributes in the request packet (or other places), and to add
attributes to the reply packet (or other places) based on those
decisions. Where the module shines is that it is significantly more
flexible than the old-style \fBusers\fP file.
.PP
The module has one configuration item:
.IP filename
The file where the policy is stored.
.SH POLICY LANGUAGE
.SS Named policies
The policy is composed of a series of named policies. The following
example defines a policy named "foo".
.PP
.DS
policy foo {
.br
...
.br
}
.DE
.PP
Policy names MAY NOT be the same as attributes in the dictionary.
Defining a policy with the same name as a dictionary attribute will
cause an error message to be printed, and the policy will not be
loaded.
.PP
When the policy module is listed in a module section like "authorize",
the module calls a policy named "authorize". The "post-auth",
etc. sections behave the same. These names cannot be changed.
.PP
.DS
include "policy.txt"
.DE
.PP
The filename must be in a double-quoted string, and is assumed to be
relative to the location of the current file. If the filename ends
with a '/', then it is assumed to be a directory, and all files in
that directory will be read.
.PP
.DS
include "dir/"
.DE
.PP
All file in "dir/" will be read and included into the policy
definition. Any dot files (".", "..", etc.) will not be included,
however.
.PP
.SS Including multiple files
The main file referred to from the \fIradiusd.conf\fP may include one
or more other files, as in the following example.
.PP
.SS Referencing a named policy
The following example references a named policy
.DS
foo()
.DE
While the brackets are required, no arguments may be passed.
.PP
.SS Conditions
"if" statements are supported.
.PP
if (expression) {
.br
...
.br
}
.DE
.PP
and "else"
.PP
if (expression) {
.br
...
.br
} else {
.br
...
.br
}
.DE
.PP
also, "else if"
.PP
if (expression) {
.br
...
.br
} else if (expression) {
.br
...
.br
}
.DE
.PP
.SS Expressions within "if" statements
Always have to have brackets around them. Sorry.
.PP
The following kinds of expressions may be used, with their meanings.
.IP (attribute-reference)
TRUE if the referenced attribute exists, FALSE otherwise. See below
for details on attribute references.
.IP (!(expression))
FALSE if the expression returned TRUE, and TRUE if the nested expression
returned FALSE.
.IP "(attribute-reference == value)"
Compares the attribute to the value. The operators here can be "==",
"!=", "=~", "!~", "<", "<=", ">", and ">=".
.IP "(string1 == string2)"
A special case of the above. The "string1" is dynamically expanded at
run time, while "string2" is not. The operators here can be "==",
"!=", "=~",and "!~". Of these, the most useful is "=~', which lets
you do things like ("%{ldap:query...}" =~ "foo=(.*) "). The results
of the regular expression match are put into %{1}, and can be used
later. See "doc/variables.txt" for more information.
.IP "((expression1) || (expression2))"
Short-circuit "or". If expression1 is TRUE, expression2 is not
evaluated.
.IP "((expression1) && (expression2))"
Short-circuit "and". If expression1 is FALSE, expression2 is not
evaluated.
.IP Limitations.
The && and || operators have equal precedence. You can't call a
function as a expression.
.PP
.PP
.SS Attribute references
Attribute references are:
.IP Attribute-Name
Refers to an attribute of that name in the Access-Request or
Accounting-Request packet. May also refer to "server-side"
attributes, which are not documented anywhere.
.IP request:Attribute-Name
An alternate way of referencing an attribute in the request packet.
.PP
.IP reply:Attribute-Name
An attribute in the reply packet
.PP
.IP proxy-request:Attribute-Name
An attribute in the Access-Request or Accounting-Request packet which
will be proxied to the home server.
.PP
.IP proxy-reply:Attribute-Name
An attribute in the Access-Accept or other packet which was received
from a home server.
.PP
.IP control:Attribute-Name
An attribute in the per-request configuration and control attributes.
Also known as "check" attributes (doc/variables.txt).
.PP
.PP
.SS Adding attributes to reply packet (or other location)
reply .= {
.br
attribute-name = value
.br
...
.br
attribute-name = value
.br
}
.DE
.PP
The first name can be "request", "reply", "control", "proxy-request",
or "proxy-reply".
.PP
The operator can be
.PP
.= - appends attributes to end of the list
.PP
:= - replaces existing list with the attributes in the list (bad idea)
.PP
= - use operators from "attribute = value" to decide what to do. (see "users")
.PP
The block must contain only attributes and values. Nothing else is permitted.
.SH SECTIONS
.BR authorize
.BR post-auth
.BR pre-proxy
.BR post-proxy
.PP
.SH FILES
.I /etc/raddb/radiusd.conf
.PP
.SH "SEE ALSO"
.BR radiusd (8),
.BR users (5),
.BR radiusd.conf (5)
.SH AUTHOR
Alan DeKok <aland@ox.org>