#
#	Example of forbidding all attempts to login via
#	realms.
#
deny_realms {
	if (User-Name =~ /@|\\/) {
		reject
	}
}

#
#	Filter the username
#
#  Force some sanity on User-Name. This helps to avoid issues
#  issues where the back-end database is "forgiving" about
#  what constitutes a user name.
#
filter_username {
	#
	#  reject mixed case
	#  e.g. "UseRNaMe"
	#
	if (User-Name != "%{tolower:%{User-Name}}") {
		reject
	}

	#
	#  reject all whitespace
	#  e.g. "user@ site.com", or "us er", or " user", or "user "
	#
	if (User-Name =~ / /) {
		update reply {
			Reply-Message += "Rejected: Username contains whitespace"
		}
		reject
	}

	#
	#  reject Multiple @'s
	#  e.g. "user@site.com@site.com"
	#
	if(User-Name =~ /@.*@/ ) {
		update reply {
			Reply-Message += "Rejected: Multiple @ in username"
		}
		reject
	}

	#
	#  reject double dots
	#  e.g. "user@site..com"
	#
	if (User-Name =~ /\\.\\./ ) {
		update reply {
			Reply-Message += "Rejected: Username contains ..s"
		}
		reject
	}

	#
	#  must have at least 1 string-dot-string after @
	#  e.g. "user@site.com"
	#
	if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
		update reply {
			Reply-Message += "Rejected: Realm does not have at least one dot separator"
		}
		reject
	}

	#
	#  Realm ends with a dot
	#  e.g. "user@site.com."
	#
	if (User-Name =~ /\\.$/)  {
		update reply {
			Reply-Message += "Rejected: Realm ends with a dot"
		}
		reject
	}

	#
	#  Realm begins with a dot
	#  e.g. "user@.site.com"
	#
	if (User-Name =~ /@\\./)  {
		update reply {
			Reply-Message += "Rejected: Realm begins with a dot"
		}
		reject
	}
}

