(RADIATOR) LDAP2 and PostSearchHook

Hugh Irvine hugh at open.com.au
Fri Aug 10 19:35:48 CDT 2001 

Hello Dirk -

On Saturday 11 August 2001 01:04, Dirk Tilger wrote:
> Hi,
>
> I have a question regarding PostSearchHook in AuthLDAP2. I'm using
> Radiator-2.18.2 on a Linux machine. I have a realm INTERSHOPLAB...
>
> ---8<---
> <Realm INTERSHOPLAB>
>         RewriteUsername s/^(.*)\@(.*)/$1/
>         <AuthBy LDAP2>
>                 Host            10.0.87.32
>                 AuthDN          CN=AdminDirk,CN=Users,DC=intershop,DC=lab
>                 AuthPassword    secret
>                 BaseDN          DC=intershop,DC=lab
>                 UsernameAttr    sAMAccountName
>                 ServerChecksPassword
>                 AuthAttrDef msNPAllowDialin,GENERIC,request
>                 PostSearchHook sub { \
>                         my $dialperm = $_[4]->get ('msNPAllowDialin'); \
>                         $_[0]->log($main::LOG_DEBUG, "\$dialperm is
> $dialperm"); \ if (!$dialperm) \
>                                 { \
>                                 $_[0]->log($main::LOG_INFO, "No dialin
> permission"); \ } \
>                         }
>                 Debug 255
>         </AuthBy>
> </Realm>

[....snip....]

>
> Net::LDAP=HASH(0x865af6c) received:
> 0000 30   96: SEQUENCE {
> 0006 02    1:   INTEGER = 2
> 0009 64   87:   [APPLICATION 4] {
> 000F 04   43:     STRING = 'CN=Dirk Tilger,CN=Users,DC=intershop,DC=lab'
> 003C 30   36:     SEQUENCE {
> 0042 30   30:       SEQUENCE {
> 0048 04   15:         STRING = 'msNPAllowDialin'
> 0059 31    7:         SET {
> 005F 04    5:           STRING = 'FALSE'
> 0066        :         }
> 0066        :       }
> 0066        :     }
> 0066        :   }
> 0066        : }
> ---8<---
>
> I was now wondering why it doesn't work, because in the documentation
> you had a similar sample. Also the too lines...
>

You have specified the following:

	AuthAttrDef msNPAllowDialin,GENERIC,request

Which means that the contents of "msNPAllowDialin" should contain an 
attribute/value pair of the form "Allow-Dialin = FALSE".

If you wanted the contents of the field to be used as the value only, you 
would do something like this:

	AuthAttrDef msNPAllowDialin,Allow-Dialin,request

Either of the above would add the following to the request:

	Allow-Dialin = FALSE

> > Fri Aug 10 16:40:23 2001: ERR: Bad attribute=value pair: FALSE
> > Fri Aug 10 16:40:23 2001: DEBUG: $dialperm is ARRAY(0x8370c4c)
>
> ....look a little bit strange to me. I tried some other configurations
> and it was almost impossible to check a boolean value.
>
> Did I something wrong?
>
> By the way: How can I reject a message from the hook? The only way
> that works at the moment is to modify the password, but doing so
> they user gets a confusing message. In all other cases it seems to
> me that theFrom owner-radiator at open.com.au Fri Aug 10 17:49:59 2001
Received: (from majordomo at localhost)
	by server1.open.com.au (8.11.0/8.11.0) id f7AMnxU00907
	for radiatorzz-list; Fri, 10 Aug 2001 17:49:59 -0500
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from entoo.connect.com.au (entoo.connect.com.au [192.189.54.8])
	by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f7AMnw300904
	for <radiator at open.com.au>; Fri, 10 Aug 2001 17:49:58 -0500
Received: from hugo (acc20-ppp247.mel.dialup.connect.net.au [210.10.139.247])
	by entoo.connect.com.au (Postfix) with SMTP
	id A0CA5DE007; Sat, 11 Aug 2001 10:36:27 +1000 (EST)
From: Hugh Irvine <hugh at open.com.au>
Reply-To: hugh at open.com.au
Organization: Open System Consultants
To: Kyle <khultman at bnsi.net>, radiator at open.com.au
Subject: Re: (RADIATOR) Handler clause
Date: Sat, 11 Aug 2001 09:48:46 +1000
X-Mailer: KMail [version 1.1.99]
Content-Type: text/plain;
  charset="us-ascii"
References: <3B7404B6.3FC711E4 at bnsi.net>
In-Reply-To: <3B7404B6.3FC711E4 at bnsi.net>
MIME-Version: 1.0
Message-Id: <0108110948461E.01845 at hugo>
Content-Transfer-Encoding: 8bit
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>


Hello Kyle -

What you show below is not correct. Keep in mind that what is used in either 
Realms or Handlers is the information received in the incoming request (for 
the most part). 

If you want to send different attributes to different NAS clients, you should 
use the PostAuthHook construct, perhaps in conjunction with a StartupHook 
and/or some information in a database.

There are some example hooks that implement a scheme like this in the file 
called "goodies/hooks.txt" in the Radiator distribution.

Alternatively you could do something like this:

# define Client clauses with Identifiers

<Client .....>
	Identifier Ascend
	......
</Client>

<Client .....>
	Identifier Patton
	......
</Client>

# define Handlers

<Handler Realm = myRealm, Client-Identifier = Ascend>
	......
</Handler>

<Handler Realm = myRealm, Client-Identifier = Patton>
	......
</Handler>

Note that the above will work for a small number of Realms and NAS's, but for 
anything more you should consider the hooks.

regards

Hugh


On Saturday 11 August 2001 01:58, Kyle wrote:
> Hugh,
>   Is is legal in the realms.cfg file to place a <Handler> clause indside
> of a <Realm> clause? Lets say if I wanted to do something like:
>
> <Realm myReal>
>
> ....
>
>   <Handler someNasAttribute>
>     // Make some replies
>   </Handler>
>   <Handler someOtherNasAttribute>
>     // Make some other replies
>   </Handler>
>
> ....
>
> </Realm>
>
> I remember reading something on this, but cant find it again. Basicaly,
> I want to be able to take a single value, such as idle-timeout, and be
> able to pass it to a nas in its correct format. I.E, out Ascend would
> take the value as Ascend-Idle-Timeout where as our Patton would take the
> value as just Idle-Timeout.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
 ServerChecksPassword is passed regardless what my hook
> does.
>

For examples of useful things to do with hooks (including reject), have a 
look at the file "goodies/hooks.txt" in the Radiator distribution.

BTW - I always suggest putting your hook code in a seperate file for ease of 
editing, etc. Again, have a look at "goodies/hooks.txt".

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list