GEANT / CAT

web/lib/user/Skinjob.php

Braces +1 added lines, -2 removed lines

@@ -97,8 +97,7 @@
         // does the file exist in the current skin's directory? Has precedence
         if ($submodule !== '' && file_exists(__DIR__ . "/../../skins/" . $this->skin . "/" . $submodule . $path . $filename)) {
             $extrapath = "/skins/" . $this->skin . "/" . $submodule;
-        }
-        elseif (file_exists(__DIR__ . "/../../skins/" . $this->skin . $path . $filename)) {
+        } elseif (file_exists(__DIR__ . "/../../skins/" . $this->skin . $path . $filename)) {
             $extrapath = "/skins/" . $this->skin;
         } elseif (file_exists(__DIR__ . "/../../" . $path . $filename)) {
             $extrapath = "";

devices/linux/DeviceLinux.php

Braces +1 added lines, -2 removed lines

@@ -201,8 +201,7 @@
             
         if ($this->selectedEap == \core\common\EAP::EAPTYPE_TLS && isset($this->attributes['eap-specific:tls_use_other_id']) && $this->attributes['eap-specific:tls_use_other_id'][0] == 'on') {
             $configRaw['use_other_tls_id'] = "True";
-        }
-        else {
+        } else {
             $configRaw['use_other_tls_id'] = "False";
         }
 

web/admin/action_enrollment.php

Switch Indentation +8 added lines, -8 removed lines

@@ -49,14 +49,14 @@
 }
 
 switch ($_GET['token']) {
-    case "SELF-REGISTER":
-        $token = "SELF-REGISTER";
-        $checkval = \core\UserManagement::TOKENSTATUS_OK_NEW;
-        $federation = \config\ConfAssistant::CONSORTIUM['selfservice_registration'];
-        break;
-    default:
-        $token = $validator->token(filter_input(INPUT_GET,'token',FILTER_SANITIZE_STRING));
-        $checkval = $usermgmt->checkTokenValidity($token);
+        case "SELF-REGISTER":
+            $token = "SELF-REGISTER";
+            $checkval = \core\UserManagement::TOKENSTATUS_OK_NEW;
+            $federation = \config\ConfAssistant::CONSORTIUM['selfservice_registration'];
+            break;
+        default:
+            $token = $validator->token(filter_input(INPUT_GET,'token',FILTER_SANITIZE_STRING));
+            $checkval = $usermgmt->checkTokenValidity($token);
 }
 
 if ($checkval < 0) {

web/lib/admin/API.php

Braces +1 added lines, -2 removed lines

@@ -607,8 +607,7 @@
         $output = json_encode(["result" => "SUCCESS", "details" => $details], JSON_PRETTY_PRINT);
         if ($output === FALSE) {
             $this->returnError(API::ERROR_INTERNAL_ERROR, "Unable to JSON encode return data: ". json_last_error(). " - ". json_last_error_msg());
-        }
-        else {
+        } else {
             echo $output;
         }
     }

devices/linux/DeviceLinuxSh.php

Braces +1 added lines, -2 removed lines

@@ -203,8 +203,7 @@
 
         if ($this->selectedEap == \core\common\EAP::EAPTYPE_TLS && isset($this->attributes['eap-specific:tls_use_other_id']) && $this->attributes['eap-specific:tls_use_other_id'][0] == 'on') {
             $configRaw['USE_OTHER_TLS_ID'] = true;
-        }
-        else {
+        } else {
             $configRaw['USE_OTHER_TLS_ID'] = false;
         }
 

web/diag/action_realmcheck.php

Braces +16 added lines, -1 removed lines

@@ -755,7 +755,22 @@
                 }
             ?>
                 <div id="tabs-<?php echo $i;?>">
-                    <button id="run_<?php if ($i==3) echo 'd'; else echo 'o';?>_tests"; onclick="run_<?php if ($i==3) echo 'dynamic'; else echo 'openroaming';?>()"><?php if ($i==3) echo _("Repeat dynamic connectivity tests"); else echo _("Repeat OpenRoaming connectivity tests");?></button>
+                    <button id="run_<?php if ($i==3) {
+    echo 'd';
+} else {
+    echo 'o';
+}
+?>_tests"; onclick="run_<?php if ($i==3) {
+    echo 'dynamic';
+} else {
+    echo 'openroaming';
+}
+?>()"><?php if ($i==3) {
+    echo _("Repeat dynamic connectivity tests");
+} else {
+    echo _("Repeat OpenRoaming connectivity tests");
+}
+?></button>
 
                 <?php
                     echo "<div id='";

web/admin/inc/sendinvite.inc.php

Switch Indentation +87 added lines, -87 removed lines

@@ -98,98 +98,98 @@
 }
 
 switch ($operationMode) {
-    case OPERATION_MODE_EDIT:
-        $idp = $validator->existingIdP($_GET['inst_id']);
-        // editing IdPs is done from within the popup. When we're done, send the 
-        // user back to the popup (append the result of the operation later)
-        $redirectDestination = "manageAdmins.inc.php?inst_id=" . $idp->identifier . "&";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination" . "invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // is the user primary admin of this IdP?
-        $is_owner = $idp->isPrimaryOwner($_SESSION['user']);
-        // check if he is (also) federation admin for the federation this IdP is in. His invitations have more blessing then.
-        $fedadmin = $userObject->isFederationAdmin($idp->federation);
-        // check if he is either one, if not, complain
-        if (!$is_owner && !$fedadmin) {
-            echo "<p>" . sprintf(_("Something's wrong... you are a %s admin, but not for the %s the requested %s belongs to!"), $uiElements->nomenclatureFed, $uiElements->nomenclatureFed, $uiElements->nomenclatureParticipant) . "</p>";
-            exit(1);
-        }
+        case OPERATION_MODE_EDIT:
+            $idp = $validator->existingIdP($_GET['inst_id']);
+            // editing IdPs is done from within the popup. When we're done, send the 
+            // user back to the popup (append the result of the operation later)
+            $redirectDestination = "manageAdmins.inc.php?inst_id=" . $idp->identifier . "&";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination" . "invitation=INVALIDSYNTAX");
+                exit(1);
+            }
+            // is the user primary admin of this IdP?
+            $is_owner = $idp->isPrimaryOwner($_SESSION['user']);
+            // check if he is (also) federation admin for the federation this IdP is in. His invitations have more blessing then.
+            $fedadmin = $userObject->isFederationAdmin($idp->federation);
+            // check if he is either one, if not, complain
+            if (!$is_owner && !$fedadmin) {
+                echo "<p>" . sprintf(_("Something's wrong... you are a %s admin, but not for the %s the requested %s belongs to!"), $uiElements->nomenclatureFed, $uiElements->nomenclatureFed, $uiElements->nomenclatureParticipant) . "</p>";
+                exit(1);
+            }
 
-        $prettyprintname = $idp->name;
-        $newtokens = $mgmt->createTokens($fedadmin, $validAddresses, $idp);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $idp->identifier . " - Token created for " . implode(",", $validAddresses));
-        $introtext = "CO-ADMIN";
-        $participant_type = $idp->type;
-        break;
-    case OPERATION_MODE_NEWUNLINKED:
-        $redirectDestination = "../overview_federation.php?";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // run an input check and conversion of the raw inputs... just in case
-        $newinstname = $validator->string($_POST['name']);
-        $newcountry = $validator->string($_POST['country']);
-        $participant_type = $validator->partType($_POST['participant_type']);
-        $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($newcountry);
-        if ($new_idp_authorized_fedadmin !== TRUE) {
-            throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
-        }
-        $federation = $validator->existingFederation($newcountry);
-        $prettyprintname = $newinstname;
-        $introtext = "NEW-FED";
-        // send the user back to his federation overview page, append the result of the operation later
-        // do the token creation magic
-        $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $newinstname, 0, $newcountry, $participant_type);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "ORG FUTURE  - Token created for $participant_type " . implode(",", $validAddresses));
-        break;
-    case OPERATION_MODE_NEWFROMDB:
-        $redirectDestination = "../overview_federation.php?";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // a real external DB entry was submitted and all the required parameters are there
-        $newexternalid = $validator->string($_POST['externals']);
-        $extinfo = $catInstance->getExternalDBEntityDetails($newexternalid);
-        $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($extinfo['country']);
-        if ($new_idp_authorized_fedadmin !== TRUE) {
-            throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
-        }
-        $federation = $validator->existingFederation($extinfo['country']);
-        $newcountry = $extinfo['country'];
-        // see if the inst name is defined in the currently set language; if not, pick its English name; if N/A, pick the last in the list
-        $prettyprintname = "";
-        foreach ($extinfo['names'] as $lang => $name) {
-            if ($lang == $languageInstance->getLang()) {
-                $prettyprintname = $name;
+            $prettyprintname = $idp->name;
+            $newtokens = $mgmt->createTokens($fedadmin, $validAddresses, $idp);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $idp->identifier . " - Token created for " . implode(",", $validAddresses));
+            $introtext = "CO-ADMIN";
+            $participant_type = $idp->type;
+            break;
+        case OPERATION_MODE_NEWUNLINKED:
+            $redirectDestination = "../overview_federation.php?";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
+                exit(1);
             }
-        }
-        if ($prettyprintname == "" && isset($extinfo['names']['en'])) {
-            $prettyprintname = $extinfo['names']['en'];
-        }
-        if ($prettyprintname == "") {
-            foreach ($extinfo['names'] as $name) {
-                $prettyprintname = $name;
+            // run an input check and conversion of the raw inputs... just in case
+            $newinstname = $validator->string($_POST['name']);
+            $newcountry = $validator->string($_POST['country']);
+            $participant_type = $validator->partType($_POST['participant_type']);
+            $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($newcountry);
+            if ($new_idp_authorized_fedadmin !== TRUE) {
+                throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
             }
-        }
-        $participant_type = $extinfo['type'];
-        // fill the rest of the text
-        $introtext = "EXISTING-FED";
-        // do the token creation magic
-        $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $prettyprintname, $newexternalid);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP FUTURE  - Token created for " . implode(",", $validAddresses));
-        break;
-    default: // includes OPERATION_MODE_INVALID
-        // second param is TRUE, so the variable *will* contain a string
-        // i.e. ignore Scrutinizer type warning later
-        $wrongcontent = print_r($_POST, TRUE);
-        echo "<pre>Wrong parameters in POST:
+            $federation = $validator->existingFederation($newcountry);
+            $prettyprintname = $newinstname;
+            $introtext = "NEW-FED";
+            // send the user back to his federation overview page, append the result of the operation later
+            // do the token creation magic
+            $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $newinstname, 0, $newcountry, $participant_type);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "ORG FUTURE  - Token created for $participant_type " . implode(",", $validAddresses));
+            break;
+        case OPERATION_MODE_NEWFROMDB:
+            $redirectDestination = "../overview_federation.php?";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
+                exit(1);
+            }
+            // a real external DB entry was submitted and all the required parameters are there
+            $newexternalid = $validator->string($_POST['externals']);
+            $extinfo = $catInstance->getExternalDBEntityDetails($newexternalid);
+            $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($extinfo['country']);
+            if ($new_idp_authorized_fedadmin !== TRUE) {
+                throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
+            }
+            $federation = $validator->existingFederation($extinfo['country']);
+            $newcountry = $extinfo['country'];
+            // see if the inst name is defined in the currently set language; if not, pick its English name; if N/A, pick the last in the list
+            $prettyprintname = "";
+            foreach ($extinfo['names'] as $lang => $name) {
+                if ($lang == $languageInstance->getLang()) {
+                    $prettyprintname = $name;
+                }
+            }
+            if ($prettyprintname == "" && isset($extinfo['names']['en'])) {
+                $prettyprintname = $extinfo['names']['en'];
+            }
+            if ($prettyprintname == "") {
+                foreach ($extinfo['names'] as $name) {
+                    $prettyprintname = $name;
+                }
+            }
+            $participant_type = $extinfo['type'];
+            // fill the rest of the text
+            $introtext = "EXISTING-FED";
+            // do the token creation magic
+            $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $prettyprintname, $newexternalid);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP FUTURE  - Token created for " . implode(",", $validAddresses));
+            break;
+        default: // includes OPERATION_MODE_INVALID
+            // second param is TRUE, so the variable *will* contain a string
+            // i.e. ignore Scrutinizer type warning later
+            $wrongcontent = print_r($_POST, TRUE);
+            echo "<pre>Wrong parameters in POST:
 " . htmlspecialchars(/** @scrutinizer ignore-type */ $wrongcontent) . "
 </pre>";
-        exit(1);
+            exit(1);
 }
 
 // send, and invalidate the token immediately if the mail could not be sent!

web/admin/edit_hotspot.php

Switch Indentation +6 added lines, -6 removed lines

@@ -156,12 +156,12 @@
     }
     if (isset($_POST['command'])) {
         switch ($_POST['command']) {
-        case web\lib\common\FormElements::BUTTON_CLOSE:
-            header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
-            exit(0);
-        default:
-            header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
-            exit(0);
+            case web\lib\common\FormElements::BUTTON_CLOSE:
+                header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
+                exit(0);
+            default:
+                header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
+                exit(0);
         }
     }
     $vlan = $deployment->getAttributes("managedsp:vlan")[0]['value'] ?? NULL;

web/admin/edit_profile_result.php

Switch Indentation +268 added lines, -268 removed lines

@@ -40,80 +40,80 @@ 
 }
 
 switch ($_POST['submitbutton']) {
-    case web\lib\common\FormElements::BUTTON_DELETE:
-        if (!isset($_GET['profile_id'])) {
-            throw new Exception("Can only delete a profile that exists and is named!");
-        }
-        $profileToBeDel = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
-        $profileToBeDel->destroy();
-        $loggerInstance->writeAudit($_SESSION['user'], "DEL", "Profile " . $profileToBeDel->identifier);
-        header("Location: overview_org.php?inst_id=$my_inst->identifier");
-        exit;
-    case web\lib\common\FormElements::BUTTON_SAVE:
-        if (isset($_GET['profile_id'])) {
-            $profile = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
-            echo $deco->pageheader(sprintf(_("%s: Edit Profile - Result"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
-        } else {
-            $profile = $my_inst->newProfile(core\AbstractProfile::PROFILETYPE_RADIUS);
-            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $my_inst->identifier . " - Profile created");
-            echo $deco->pageheader(sprintf(_("%s: Profile wizard (step 3 completed)"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
-        }
-        if (!$profile instanceof \core\ProfileRADIUS) {
-            throw new Exception("This page should only be called to submit RADIUS Profile information!");
-        }
-// extended input checks
-        $realm = FALSE;
-        if (isset($_POST['realm']) && $_POST['realm'] != "") {
-            $realm = $validator->realm(filter_input(INPUT_POST, 'realm', FILTER_SANITIZE_STRING));
-        }
+        case web\lib\common\FormElements::BUTTON_DELETE:
+            if (!isset($_GET['profile_id'])) {
+                throw new Exception("Can only delete a profile that exists and is named!");
+            }
+            $profileToBeDel = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
+            $profileToBeDel->destroy();
+            $loggerInstance->writeAudit($_SESSION['user'], "DEL", "Profile " . $profileToBeDel->identifier);
+            header("Location: overview_org.php?inst_id=$my_inst->identifier");
+            exit;
+        case web\lib\common\FormElements::BUTTON_SAVE:
+            if (isset($_GET['profile_id'])) {
+                $profile = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
+                echo $deco->pageheader(sprintf(_("%s: Edit Profile - Result"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
+            } else {
+                $profile = $my_inst->newProfile(core\AbstractProfile::PROFILETYPE_RADIUS);
+                $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $my_inst->identifier . " - Profile created");
+                echo $deco->pageheader(sprintf(_("%s: Profile wizard (step 3 completed)"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
+            }
+            if (!$profile instanceof \core\ProfileRADIUS) {
+                throw new Exception("This page should only be called to submit RADIUS Profile information!");
+            }
+    // extended input checks
+            $realm = FALSE;
+            if (isset($_POST['realm']) && $_POST['realm'] != "") {
+                $realm = $validator->realm(filter_input(INPUT_POST, 'realm', FILTER_SANITIZE_STRING));
+            }
 
-        $anon = FALSE;
-        if (isset($_POST['anon_support'])) {
-            $anon = $validator->boolean($_POST['anon_support']);
-        }
+            $anon = FALSE;
+            if (isset($_POST['anon_support'])) {
+                $anon = $validator->boolean($_POST['anon_support']);
+            }
 
-        $anonLocal = "anonymous";
-        if (isset($_POST['anon_local'])) {
-            $anonLocal = $validator->string(filter_input(INPUT_POST, 'anon_local', FILTER_SANITIZE_STRING));
-        } else { // get the old anon outer id from DB. People don't appreciate "forgetting" it when unchecking anon id
-            $local = $profile->getAttributes("internal:anon_local_value");
-            if (isset($local[0])) {
-                $anonLocal = $local[0]['value'];
+            $anonLocal = "anonymous";
+            if (isset($_POST['anon_local'])) {
+                $anonLocal = $validator->string(filter_input(INPUT_POST, 'anon_local', FILTER_SANITIZE_STRING));
+            } else { // get the old anon outer id from DB. People don't appreciate "forgetting" it when unchecking anon id
+                $local = $profile->getAttributes("internal:anon_local_value");
+                if (isset($local[0])) {
+                    $anonLocal = $local[0]['value'];
+                }
             }
-        }
 
-        $checkuser = FALSE;
-        if (isset($_POST['checkuser_support'])) {
-            $checkuser = $validator->boolean($_POST['checkuser_support']);
-        }
+            $checkuser = FALSE;
+            if (isset($_POST['checkuser_support'])) {
+                $checkuser = $validator->boolean($_POST['checkuser_support']);
+            }
 
-        $checkuser_name1 = "anonymous";
-        if (isset($_POST['checkuser_local'])) {
-            $checkuser_name1 = $validator->string($_POST['checkuser_local']);
-        } else { // get the old value from profile settings. People don't appreciate "forgetting" it when unchecking
-            $checkuser_name1 = $profile->getAttributes("internal:checkuser_value")[0]['value'];
-        }
-// it's a RADIUS username; and it's displayed later on. Be sure it contains no
-// "interesting" HTML characters before further processing
-        $checkuser_name = htmlentities($checkuser_name1);
+            $checkuser_name1 = "anonymous";
+            if (isset($_POST['checkuser_local'])) {
+                $checkuser_name1 = $validator->string($_POST['checkuser_local']);
+            } else { // get the old value from profile settings. People don't appreciate "forgetting" it when unchecking
+                $checkuser_name1 = $profile->getAttributes("internal:checkuser_value")[0]['value'];
+            }
+    // it's a RADIUS username; and it's displayed later on. Be sure it contains no
+    // "interesting" HTML characters before further processing
+            $checkuser_name = htmlentities($checkuser_name1);
 
-        $verify = FALSE;
-        $hint = FALSE;
-        $redirect = FALSE;
-        if (isset($_POST['verify_support'])) {
-            $verify = $validator->boolean($_POST['verify_support']);
-        }
-        if (isset($_POST['hint_support'])) {
-            $hint = $validator->boolean($_POST['hint_support']);
-        }
-        if (isset($_POST['redirect'])) {
-            $redirect = $validator->boolean($_POST['redirect']);
-        }
-        ?>
-        <h1><?php
-            $tablecaption = _("Submitted attributes for this profile");
-            echo $tablecaption;
-            ?></h1>
+            $verify = FALSE;
+            $hint = FALSE;
+            $redirect = FALSE;
+            if (isset($_POST['verify_support'])) {
+                $verify = $validator->boolean($_POST['verify_support']);
+            }
+            if (isset($_POST['hint_support'])) {
+                $hint = $validator->boolean($_POST['hint_support']);
+            }
+            if (isset($_POST['redirect'])) {
+                $redirect = $validator->boolean($_POST['redirect']);
+            }
+            ?>
+            <h1><?php
+                $tablecaption = _("Submitted attributes for this profile");
+                echo $tablecaption;
+                ?></h1>
         <table>
             <caption><?php echo $tablecaption; ?></caption>
             <tr>
@@ -121,245 +121,245 @@ 
                 <th class="wai-invisible" scope="col"><?php echo _("Details"); ?></th>
             </tr>
             <?php
-            $uiElements = new web\lib\admin\UIElements();
-            // set realm info, if submitted
-            if ($realm !== FALSE) {
-                $profile->setRealm($anonLocal . "@" . $realm);
-                echo $uiElements->boxOkay(sprintf(_("Realm: <strong>%s</strong>"), $realm));
-            } else {
-                $profile->setRealm("");
-            }
-            // set anon ID, if submitted
-            if ($anon !== FALSE) {
-                if ($realm === FALSE) {
-                    echo $uiElements->boxError(_("Anonymous Outer Identities cannot be turned on: realm is missing!"));
+                $uiElements = new web\lib\admin\UIElements();
+                // set realm info, if submitted
+                if ($realm !== FALSE) {
+                    $profile->setRealm($anonLocal . "@" . $realm);
+                    echo $uiElements->boxOkay(sprintf(_("Realm: <strong>%s</strong>"), $realm));
                 } else {
-                    $profile->setAnonymousIDSupport(true);
-                    echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>, the anonymous outer identity is <strong>%s</strong>"), _("ON"), $profile->realm));
+                    $profile->setRealm("");
                 }
-            } else {
-                $profile->setAnonymousIDSupport(false);
-                echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>"), _("OFF")));
-                if ($verify === FALSE) { // no anon outer ID, and no realm suffix verification? Bad idea!
-                    echo $uiElements->boxWarning(_("Without Anonymous Identity, the actual username will be used as outer identity and be the basis for request routing. For that to work, the username must have a correct realm suffix. Yet, realm suffix verification has been turned OFF. Supplicants will not verify that usernames contain a realm, and errors such as username 'johndoe' which will not work in roaming scenarios will not be prohibited. Consider checking the box 'Enforce realm suffix in username'!"));
-                }
-            }
-
-            if ($checkuser !== FALSE) {
-                if ($realm === FALSE) {
-                    echo $uiElements->boxError(_("Realm check username cannot be configured: realm is missing!"));
+                // set anon ID, if submitted
+                if ($anon !== FALSE) {
+                    if ($realm === FALSE) {
+                        echo $uiElements->boxError(_("Anonymous Outer Identities cannot be turned on: realm is missing!"));
+                    } else {
+                        $profile->setAnonymousIDSupport(true);
+                        echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>, the anonymous outer identity is <strong>%s</strong>"), _("ON"), $profile->realm));
+                    }
                 } else {
-                    $profile->setRealmcheckUser(true, $checkuser_name);
-                    echo $uiElements->boxOkay(sprintf(_("Special username for realm check is <strong>%s</strong>, the value is <strong>%s</strong>"), _("ON"), $checkuser_name . "@" . $realm));
+                    $profile->setAnonymousIDSupport(false);
+                    echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>"), _("OFF")));
+                    if ($verify === FALSE) { // no anon outer ID, and no realm suffix verification? Bad idea!
+                        echo $uiElements->boxWarning(_("Without Anonymous Identity, the actual username will be used as outer identity and be the basis for request routing. For that to work, the username must have a correct realm suffix. Yet, realm suffix verification has been turned OFF. Supplicants will not verify that usernames contain a realm, and errors such as username 'johndoe' which will not work in roaming scenarios will not be prohibited. Consider checking the box 'Enforce realm suffix in username'!"));
+                    }
                 }
-            } else {
-                $profile->setRealmCheckUser(false);
-                echo $uiElements->boxOkay(_("No special username for realm checks is configured."));
-            }
 
-            if ($verify !== FALSE) {
-                $profile->setInputVerificationPreference($verify, $hint);
-                $extratext = "";
-                if (!empty($realm)) {
-                    if ($hint !== FALSE) {
-                        $extratext = " " . sprintf(_("The realm portion MUST be exactly '...@%s'."), $realm);
+                if ($checkuser !== FALSE) {
+                    if ($realm === FALSE) {
+                        echo $uiElements->boxError(_("Realm check username cannot be configured: realm is missing!"));
                     } else {
-                        $extratext = " " . sprintf(_("The realm portion MUST end with '%s' but sub-realms of it are allowed (i.e. 'user@%s' and 'user@<...>.%s' are both acceptable)."), $realm, $realm, $realm);
+                        $profile->setRealmcheckUser(true, $checkuser_name);
+                        echo $uiElements->boxOkay(sprintf(_("Special username for realm check is <strong>%s</strong>, the value is <strong>%s</strong>"), _("ON"), $checkuser_name . "@" . $realm));
                     }
+                } else {
+                    $profile->setRealmCheckUser(false);
+                    echo $uiElements->boxOkay(_("No special username for realm checks is configured."));
                 }
-                echo $uiElements->boxOkay(_("Where possible, supplicants will verify that username inputs contain a syntactically correct realm.") . $extratext);
-            } else {
-                $profile->setInputVerificationPreference(false, false);
-            }
-
-            echo $optionParser->processSubmittedFields($profile, $_POST, $_FILES);
 
-            if ($redirect !== FALSE) {
-                if (!isset($_POST['redirect_target']) || $_POST['redirect_target'] == "") {
-                    echo $uiElements->boxError(_("Redirection can't be activated - you did not specify a target location!"));
-                } elseif (!preg_match("/^(http|https):\/\//", $_POST['redirect_target'])) {
-                    echo $uiElements->boxError(_("Redirection can't be activated - the target needs to be a complete URL starting with http:// or https:// !"));
-                } else {
-                    $profile->addAttribute("device-specific:redirect", 'C', $_POST['redirect_target']);
-                    // check if there is a device-level redirect which effectively disables profile-level redirect, and warn if so
-                    $redirects = $profile->getAttributes("device-specific:redirect");
-                    $deviceSpecificFound = FALSE;
-                    foreach ($redirects as $oneRedirect) {
-                        if ($oneRedirect["level"] == \core\Options::LEVEL_METHOD) {
-                            $deviceSpecificFound = TRUE;
+                if ($verify !== FALSE) {
+                    $profile->setInputVerificationPreference($verify, $hint);
+                    $extratext = "";
+                    if (!empty($realm)) {
+                        if ($hint !== FALSE) {
+                            $extratext = " " . sprintf(_("The realm portion MUST be exactly '...@%s'."), $realm);
+                        } else {
+                            $extratext = " " . sprintf(_("The realm portion MUST end with '%s' but sub-realms of it are allowed (i.e. 'user@%s' and 'user@<...>.%s' are both acceptable)."), $realm, $realm, $realm);
                         }
                     }
-                    if ($deviceSpecificFound) {
-                        echo $uiElements->boxWarning(sprintf(_("Redirection set to <strong>%s</strong>, but will be ignored due to existing device-level redirect."), htmlspecialchars($_POST['redirect_target'])));
-                    } else {
-                        echo $uiElements->boxOkay(sprintf(_("Redirection set to <strong>%s</strong>"), htmlspecialchars($_POST['redirect_target'])));
-                    }
+                    echo $uiElements->boxOkay(_("Where possible, supplicants will verify that username inputs contain a syntactically correct realm.") . $extratext);
+                } else {
+                    $profile->setInputVerificationPreference(false, false);
                 }
-            } else {
-                echo $uiElements->boxOkay(_("Redirection is <strong>OFF</strong>"));
-            }
 
-            $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $profile->identifier . " - attributes changed");
-            // reload the profile to ingest new CA and server names if any; before checking EAP completeness
-            $reloadedProfileNr1 = \core\ProfileFactory::instantiate($profile->identifier);
-            foreach (\core\common\EAP::listKnownEAPTypes() as $a) {
-                if ($a->getIntegerRep() == \core\common\EAP::INTEGER_SILVERBULLET) { // do not allow adding silverbullet via the backdoor
-                    continue;
-                }
-                if (isset($_POST[$a->getPrintableRep()]) && isset($_POST[$a->getPrintableRep() . "-priority"]) && is_numeric($_POST[$a->getPrintableRep() . "-priority"])) {
-                    $priority = (int) $_POST[$a->getPrintableRep() . "-priority"];
-                    // add EAP type to profile as requested, but ...
-                    $reloadedProfileNr1->addSupportedEapMethod($a, $priority);
-                    $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $reloadedProfileNr1->identifier . " - supported EAP types changed");
-                    // see if we can enable the EAP type, or if info is missing
-                    $eapcompleteness = $reloadedProfileNr1->isEapTypeDefinitionComplete($a);
-                    if ($eapcompleteness === true) {
-                        echo $uiElements->boxOkay(_("Supported EAP Type: ") . "<strong>" . $a->getPrintableRep() . "</strong>");
+                echo $optionParser->processSubmittedFields($profile, $_POST, $_FILES);
+
+                if ($redirect !== FALSE) {
+                    if (!isset($_POST['redirect_target']) || $_POST['redirect_target'] == "") {
+                        echo $uiElements->boxError(_("Redirection can't be activated - you did not specify a target location!"));
+                    } elseif (!preg_match("/^(http|https):\/\//", $_POST['redirect_target'])) {
+                        echo $uiElements->boxError(_("Redirection can't be activated - the target needs to be a complete URL starting with http:// or https:// !"));
                     } else {
-                        $warntext = "";
-                        if (is_array($eapcompleteness)) {
-                            foreach ($eapcompleteness as $item) {
-                                $warntext .= "<strong>" . $uiElements->displayName($item) . "</strong> ";
+                        $profile->addAttribute("device-specific:redirect", 'C', $_POST['redirect_target']);
+                        // check if there is a device-level redirect which effectively disables profile-level redirect, and warn if so
+                        $redirects = $profile->getAttributes("device-specific:redirect");
+                        $deviceSpecificFound = FALSE;
+                        foreach ($redirects as $oneRedirect) {
+                            if ($oneRedirect["level"] == \core\Options::LEVEL_METHOD) {
+                                $deviceSpecificFound = TRUE;
                             }
                         }
-                        echo $uiElements->boxWarning(sprintf(_("Supported EAP Type: <strong>%s</strong> is missing required information %s !"), $a->getPrintableRep(), $warntext) . "<br/>" . _("The EAP type was added to the profile, but you need to complete the missing information before we can produce installers for you."));
+                        if ($deviceSpecificFound) {
+                            echo $uiElements->boxWarning(sprintf(_("Redirection set to <strong>%s</strong>, but will be ignored due to existing device-level redirect."), htmlspecialchars($_POST['redirect_target'])));
+                        } else {
+                            echo $uiElements->boxOkay(sprintf(_("Redirection set to <strong>%s</strong>"), htmlspecialchars($_POST['redirect_target'])));
+                        }
                     }
+                } else {
+                    echo $uiElements->boxOkay(_("Redirection is <strong>OFF</strong>"));
                 }
-            }
-            // re-instantiate $profile again, we need to do final checks on the
-            // full set of new information
-            $reloadedProfileNr2 = \core\ProfileFactory::instantiate($profile->identifier);
-            $significantChanges = \core\AbstractProfile::significantChanges($profile, $reloadedProfileNr2);
-            if (count($significantChanges) > 0) {
-                $myInstOriginal = new \core\IdP($profile->institution);
-                // send a notification/alert mail to someone we know is in charge
-                $text = _("To whom it may concern,") . "\n\n";
-                /// were made to the *Identity Provider* *LU* / integer number of IdP / (previously known as) Name
-                $text .= sprintf(_("significant changes were made to a RADIUS deployment profile of the %s %s / %s / '%s'."), $ui->nomenclatureIdP, strtoupper($myInstOriginal->federation), $myInstOriginal->identifier, $myInstOriginal->name) . "\n\n";
-                if (isset($significantChanges[\core\AbstractProfile::CA_CLASH_ADDED])) {
-                    $text .= _("WARNING! A new trusted root CA was added, and it has the exact same name as a previously existing root CA. This may (but does not necessarily) mean that this is an attempt to insert an unauthorised trust root by disguising as the genuine one. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::CA_CLASH_ADDED] . "\n\n";
-                }
-                if (isset($significantChanges[\core\AbstractProfile::CA_ADDED])) {
-                    $text .= _("A new trusted root CA was added. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::CA_ADDED] . "\n\n";
-                }
-                if (isset($significantChanges[\core\AbstractProfile::SERVERNAME_ADDED])) {
-                    $text .= _("A new acceptable server name for the authentication server was added. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::SERVERNAME_ADDED] . "\n\n";
+
+                $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $profile->identifier . " - attributes changed");
+                // reload the profile to ingest new CA and server names if any; before checking EAP completeness
+                $reloadedProfileNr1 = \core\ProfileFactory::instantiate($profile->identifier);
+                foreach (\core\common\EAP::listKnownEAPTypes() as $a) {
+                    if ($a->getIntegerRep() == \core\common\EAP::INTEGER_SILVERBULLET) { // do not allow adding silverbullet via the backdoor
+                        continue;
+                    }
+                    if (isset($_POST[$a->getPrintableRep()]) && isset($_POST[$a->getPrintableRep() . "-priority"]) && is_numeric($_POST[$a->getPrintableRep() . "-priority"])) {
+                        $priority = (int) $_POST[$a->getPrintableRep() . "-priority"];
+                        // add EAP type to profile as requested, but ...
+                        $reloadedProfileNr1->addSupportedEapMethod($a, $priority);
+                        $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $reloadedProfileNr1->identifier . " - supported EAP types changed");
+                        // see if we can enable the EAP type, or if info is missing
+                        $eapcompleteness = $reloadedProfileNr1->isEapTypeDefinitionComplete($a);
+                        if ($eapcompleteness === true) {
+                            echo $uiElements->boxOkay(_("Supported EAP Type: ") . "<strong>" . $a->getPrintableRep() . "</strong>");
+                        } else {
+                            $warntext = "";
+                            if (is_array($eapcompleteness)) {
+                                foreach ($eapcompleteness as $item) {
+                                    $warntext .= "<strong>" . $uiElements->displayName($item) . "</strong> ";
+                                }
+                            }
+                            echo $uiElements->boxWarning(sprintf(_("Supported EAP Type: <strong>%s</strong> is missing required information %s !"), $a->getPrintableRep(), $warntext) . "<br/>" . _("The EAP type was added to the profile, but you need to complete the missing information before we can produce installers for you."));
+                        }
+                    }
                 }
-                $text .= _("This mail is merely a cross-check because these changes can be security-relevant. If the change was expected, you do not need to take any action.") . "\n\n";
-                $text .= _("Greetings, ") . "\n\n" . \config\Master::APPEARANCE['productname_long'];
-                // (currently, send hard-wired to NRO - future: for linked insts, check eduroam DBv2 and send to registered admins directly)
-                $fed = new core\Federation($myInstOriginal->federation);
-                $loggerInstance->debug(2, $myInstOriginal->federation, "FED: ", "\n");
-                foreach ($fed->listFederationAdmins() as $id) {
-                    $user = new core\User($id);
-                    $mailaddr = $user->getAttributes("user:email")[0]['value'];
-                    $loggerInstance->debug(2, $mailaddr, "FED MAIL: ", "\n");
-                    $user->sendMailToUser(sprintf(_("%s: Significant Changes made to %s"), \config\Master::APPEARANCE['productname'], $ui->nomenclatureIdP), $text);
+                // re-instantiate $profile again, we need to do final checks on the
+                // full set of new information
+                $reloadedProfileNr2 = \core\ProfileFactory::instantiate($profile->identifier);
+                $significantChanges = \core\AbstractProfile::significantChanges($profile, $reloadedProfileNr2);
+                if (count($significantChanges) > 0) {
+                    $myInstOriginal = new \core\IdP($profile->institution);
+                    // send a notification/alert mail to someone we know is in charge
+                    $text = _("To whom it may concern,") . "\n\n";
+                    /// were made to the *Identity Provider* *LU* / integer number of IdP / (previously known as) Name
+                    $text .= sprintf(_("significant changes were made to a RADIUS deployment profile of the %s %s / %s / '%s'."), $ui->nomenclatureIdP, strtoupper($myInstOriginal->federation), $myInstOriginal->identifier, $myInstOriginal->name) . "\n\n";
+                    if (isset($significantChanges[\core\AbstractProfile::CA_CLASH_ADDED])) {
+                        $text .= _("WARNING! A new trusted root CA was added, and it has the exact same name as a previously existing root CA. This may (but does not necessarily) mean that this is an attempt to insert an unauthorised trust root by disguising as the genuine one. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::CA_CLASH_ADDED] . "\n\n";
+                    }
+                    if (isset($significantChanges[\core\AbstractProfile::CA_ADDED])) {
+                        $text .= _("A new trusted root CA was added. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::CA_ADDED] . "\n\n";
+                    }
+                    if (isset($significantChanges[\core\AbstractProfile::SERVERNAME_ADDED])) {
+                        $text .= _("A new acceptable server name for the authentication server was added. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::SERVERNAME_ADDED] . "\n\n";
+                    }
+                    $text .= _("This mail is merely a cross-check because these changes can be security-relevant. If the change was expected, you do not need to take any action.") . "\n\n";
+                    $text .= _("Greetings, ") . "\n\n" . \config\Master::APPEARANCE['productname_long'];
+                    // (currently, send hard-wired to NRO - future: for linked insts, check eduroam DBv2 and send to registered admins directly)
+                    $fed = new core\Federation($myInstOriginal->federation);
+                    $loggerInstance->debug(2, $myInstOriginal->federation, "FED: ", "\n");
+                    foreach ($fed->listFederationAdmins() as $id) {
+                        $user = new core\User($id);
+                        $mailaddr = $user->getAttributes("user:email")[0]['value'];
+                        $loggerInstance->debug(2, $mailaddr, "FED MAIL: ", "\n");
+                        $user->sendMailToUser(sprintf(_("%s: Significant Changes made to %s"), \config\Master::APPEARANCE['productname'], $ui->nomenclatureIdP), $text);
+                    }
                 }
-            }
-            $reloadedProfileNr2->prepShowtime();
+                $reloadedProfileNr2->prepShowtime();
 
-            // do OpenRoaming initial diagnostic checks
-            // numbers correspond to RFC7585Tests::OVERALL_LEVEL
-            $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NO;
-            if (sizeof($reloadedProfileNr2->getAttributes("media:openroaming")) > 0) {
-                $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD; // assume all is well, degrade if we have concrete findings to suggest otherwise
-                $tag = "aaa+auth:radius.tls.tcp";
-                // do we know the realm at all? Notice if not.
-                if (!isset($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'])) {
-                    echo $uiElements->boxRemark(_("The profile information does not include the realm, so no DNS checks for OpenRoaming can be executed."));
-                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                // do OpenRoaming initial diagnostic checks
+                // numbers correspond to RFC7585Tests::OVERALL_LEVEL
+                $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NO;
+                if (sizeof($reloadedProfileNr2->getAttributes("media:openroaming")) > 0) {
+                    $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD; // assume all is well, degrade if we have concrete findings to suggest otherwise
+                    $tag = "aaa+auth:radius.tls.tcp";
+                    // do we know the realm at all? Notice if not.
+                    if (!isset($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'])) {
+                        echo $uiElements->boxRemark(_("The profile information does not include the realm, so no DNS checks for OpenRoaming can be executed."));
+                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
                     
-                } else {
-                    $dnsChecks = new \core\diag\RFC7585Tests($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'], $tag);
-                    $relevantNaptrRecords = $dnsChecks->relevantNAPTR();
-                    if ($relevantNaptrRecords <= 0) {
-                        echo $uiElements->boxError(_("There is no relevant DNS NAPTR record ($tag) for this realm. OpenRoaming will not work."));
-                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
                     } else {
-                        $recordCompliance = $dnsChecks->relevantNAPTRcompliance();
-                        if ($recordCompliance != core\diag\AbstractTest::RETVAL_OK) {
-                            echo $uiElements->boxWarning(_("The DNS NAPTR record ($tag) for this realm is not syntax conform. OpenRoaming will likely not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
-                        }
-                        $fed = new \core\Federation($my_inst->federation);
-                        // check if target is the expected one, if set by NRO
-                        $hasCustomTarget = $fed->getAttributes("fed:openroaming_customtarget");
-                        if (sizeof($hasCustomTarget) > 0) {
-                            foreach ($dnsChecks->NAPTR_records as $orpointer) {
-                                if ($orpointer["replacement"] != $hasCustomTarget[0]['value']) {
-                                    echo $uiElements->boxRemark(_("The SRV target of an OpenRoaming NAPTR record is unexpected."));
-                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                        $dnsChecks = new \core\diag\RFC7585Tests($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'], $tag);
+                        $relevantNaptrRecords = $dnsChecks->relevantNAPTR();
+                        if ($relevantNaptrRecords <= 0) {
+                            echo $uiElements->boxError(_("There is no relevant DNS NAPTR record ($tag) for this realm. OpenRoaming will not work."));
+                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                        } else {
+                            $recordCompliance = $dnsChecks->relevantNAPTRcompliance();
+                            if ($recordCompliance != core\diag\AbstractTest::RETVAL_OK) {
+                                echo $uiElements->boxWarning(_("The DNS NAPTR record ($tag) for this realm is not syntax conform. OpenRoaming will likely not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                            }
+                            $fed = new \core\Federation($my_inst->federation);
+                            // check if target is the expected one, if set by NRO
+                            $hasCustomTarget = $fed->getAttributes("fed:openroaming_customtarget");
+                            if (sizeof($hasCustomTarget) > 0) {
+                                foreach ($dnsChecks->NAPTR_records as $orpointer) {
+                                    if ($orpointer["replacement"] != $hasCustomTarget[0]['value']) {
+                                        echo $uiElements->boxRemark(_("The SRV target of an OpenRoaming NAPTR record is unexpected."));
+                                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                                    }
                                 }
                             }
-                        }
-                        $srvResolution = $dnsChecks->relevantNAPTRsrvResolution();
-                        $hostnameResolution = $dnsChecks->relevantNAPTRhostnameResolution();
+                            $srvResolution = $dnsChecks->relevantNAPTRsrvResolution();
+                            $hostnameResolution = $dnsChecks->relevantNAPTRhostnameResolution();
 
-                        if ($srvResolution <= 0) {
-                            echo $uiElements->boxError(_("The DNS SRV target for NAPTR $tag does not resolve. OpenRoaming will not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                        } elseif ($hostnameResolution <= 0) {
-                            echo $uiElements->boxError(_("The DNS hostnames in the SRV records do not resolve to actual host IPs. OpenRoaming will not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                        }
-                        // connect to all IPs we found and see if they are really an OpenRoaming server
-                        $allHostsOkay = TRUE;
-                        $oneHostOkay = FALSE;
-                        $testCandidates = [];
-                        foreach ($dnsChecks->NAPTR_hostname_records as $oneServer) {
-                            $testCandidates[$oneServer['hostname']][] = ($oneServer['family'] == "IPv4" ? $oneServer['IP'] : "[" . $oneServer['IP'] . "]") . ":" . $oneServer['port'];
-                        }
-                        foreach ($testCandidates as $oneHost => $listOfIPs) {
-                            $connectionTests = new core\diag\RFC6614Tests(array_values($listOfIPs), $oneHost, "openroaming");
-                            // for now (no OpenRoaming client certs available) only run server-side tests
-                            foreach ($listOfIPs as $oneIP) {
-                                $connectionResult = $connectionTests->cApathCheck($oneIP);
-                                if ($connectionResult != core\diag\AbstractTest::RETVAL_OK || ( isset($connectionTests->TLS_CA_checks_result['cert_oddity']) && count($connectionTests->TLS_CA_checks_result['cert_oddity']) > 0)) {
-                                    $allHostsOkay = FALSE;
-                                } else {
-                                    $oneHostOkay = TRUE;
+                            if ($srvResolution <= 0) {
+                                echo $uiElements->boxError(_("The DNS SRV target for NAPTR $tag does not resolve. OpenRoaming will not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                            } elseif ($hostnameResolution <= 0) {
+                                echo $uiElements->boxError(_("The DNS hostnames in the SRV records do not resolve to actual host IPs. OpenRoaming will not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                            }
+                            // connect to all IPs we found and see if they are really an OpenRoaming server
+                            $allHostsOkay = TRUE;
+                            $oneHostOkay = FALSE;
+                            $testCandidates = [];
+                            foreach ($dnsChecks->NAPTR_hostname_records as $oneServer) {
+                                $testCandidates[$oneServer['hostname']][] = ($oneServer['family'] == "IPv4" ? $oneServer['IP'] : "[" . $oneServer['IP'] . "]") . ":" . $oneServer['port'];
+                            }
+                            foreach ($testCandidates as $oneHost => $listOfIPs) {
+                                $connectionTests = new core\diag\RFC6614Tests(array_values($listOfIPs), $oneHost, "openroaming");
+                                // for now (no OpenRoaming client certs available) only run server-side tests
+                                foreach ($listOfIPs as $oneIP) {
+                                    $connectionResult = $connectionTests->cApathCheck($oneIP);
+                                    if ($connectionResult != core\diag\AbstractTest::RETVAL_OK || ( isset($connectionTests->TLS_CA_checks_result['cert_oddity']) && count($connectionTests->TLS_CA_checks_result['cert_oddity']) > 0)) {
+                                        $allHostsOkay = FALSE;
+                                    } else {
+                                        $oneHostOkay = TRUE;
+                                    }
                                 }
                             }
-                        }
-                        if (!$allHostsOkay) {
-                            if (!$oneHostOkay) {
-                                echo $uiElements->boxError(_("When connecting to the discovered OpenRoaming endpoints, they all had errors. OpenRoaming will likely not work."));
-                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                            } else {
-                                echo $uiElements->boxWarning(_("When connecting to the discovered OpenRoaming endpoints, only a subset of endpoints had no errors."));
-                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                            if (!$allHostsOkay) {
+                                if (!$oneHostOkay) {
+                                    echo $uiElements->boxError(_("When connecting to the discovered OpenRoaming endpoints, they all had errors. OpenRoaming will likely not work."));
+                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                                } else {
+                                    echo $uiElements->boxWarning(_("When connecting to the discovered OpenRoaming endpoints, only a subset of endpoints had no errors."));
+                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                                }
                             }
                         }
                     }
-                }
 
-                if (!$dnsChecks->allResponsesSecure) {
-                    echo $uiElements->boxWarning(_("At least one DNS response was NOT secured using DNSSEC. OpenRoaming ANPs may refuse to connect to the endpoint."));
-                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                    if (!$dnsChecks->allResponsesSecure) {
+                        echo $uiElements->boxWarning(_("At least one DNS response was NOT secured using DNSSEC. OpenRoaming ANPs may refuse to connect to the endpoint."));
+                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                    }
+                    if ($resultLevel == \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD) {
+                        echo $uiElements->boxOkay(_("Initial diagnostics regarding the DNS part of OpenRoaming (including DNSSEC) were successful."));
+                    }                
                 }
-                if ($resultLevel == \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD) {
-                    echo $uiElements->boxOkay(_("Initial diagnostics regarding the DNS part of OpenRoaming (including DNSSEC) were successful."));
-                }                
-            }
-            $reloadedProfileNr2->setOpenRoamingReadinessInfo($resultLevel);
-            ?>
+                $reloadedProfileNr2->setOpenRoamingReadinessInfo($resultLevel);
+                ?>
         </table>
         <br/>
         <form method='post' action='overview_org.php?inst_id=<?php echo $my_inst->identifier; ?>' accept-charset='UTF-8'>
             <button type='submit'><?php echo _("Continue to dashboard"); ?></button>
         </form>
         <?php
-        if (count($reloadedProfileNr2->getEapMethodsinOrderOfPreference(1)) > 0) {
-            echo "<form method='post' action='overview_installers.php?inst_id=$my_inst->identifier&profile_id=$reloadedProfileNr2->identifier' accept-charset='UTF-8'>
+            if (count($reloadedProfileNr2->getEapMethodsinOrderOfPreference(1)) > 0) {
+                echo "<form method='post' action='overview_installers.php?inst_id=$my_inst->identifier&profile_id=$reloadedProfileNr2->identifier' accept-charset='UTF-8'>
         <button type='submit'>" . _("Continue to Installer Fine-Tuning and Download") . "</button>
     </form>";
-        }
-        echo $deco->footer();
-        break;
-    default:
-        throw new Exception("Unknown submit value received.");
+            }
+            echo $deco->footer();
+            break;
+        default:
+            throw new Exception("Unknown submit value received.");
 }