[RADIATOR] add Attributes when retrying to a new Host in AuthROUNDROBIN (radiator Digest, Vol 63, Issue 14)

[Heikki Vatiainen]

On 2.10.2014 18.48, David Zych wrote:

> It's taken me longer than I had hoped to circle back around to this, but
> I wanted to say thanks very much for the new patches! I am using them
> now to cope much more gracefully if one of my back-end "worker"
> processes gets stalled by an external dependency (i.e. ntlm_auth).
>
> Here are the key pieces, for the benefit of anyone else trying to
> accomplish something similar.

Thanks for the update David. The patch in Radiator 4.13 patch set has 
not changed, so what you are using will work with the next release too.

There's also one recent change that might be useful to you and the other 
AuthBy NTLM users. The Group configuration parameter now accepts 
multiple group names. If you configure, for example, this on Ubuntu 12.04:

User radiator
Group radiator,winbindd_priv

Radiator will set the supplementary groups to winbindd_priv. Any files, 
such as logs, will be created with radiator:radiator ownership since the 
primary group is radiator.

Now, when radius starts a new ntlm_auth process this ntlm_auth process 
can access the winbindd socket since it's a member of winbindd_priv 
group. This allow AuthBy NTLM to work without running radiusd as root. 
One might have tried to use sudo for something similar already, but now 
the Group option can also be used to specify the groups. If there are 
group names that can not be resolved, then radiusd will not try to 
switch groups

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.