(RADIATOR) LDAP questions
Ben Carter
bencarter at businessserve.co.uk
Wed Dec 26 12:03:29 CST 2001
Hi Hugh,
Merry Christmas!!!
>
> On Sun, 23 Dec 2001 10:48, Ben Carter wrote:
> > Hi all,
> >
> > I was wondering if anyone could help me out with the following:
> >
> > 1) I have "HoldServerConnection" in my <AuthBy LDAP2> clauses but
> radiator
> > still seems to re-connect each time to LDAP. The LDAP server I am using
> is
> > iplanets (formerly Netscape) and handles multiple searches in a single
> > connection with no problem.
> >
>
> What version of Radiator are you running? There is a mention of this in
> the
> history file ("doc/history.html").
We're running version 2.19!
>
> > 2) We have a bunch of dialup ports with another provider to give us
> > unmetered connections for customers of that telco. Most of these users
> need
> > to be authenticated using only their Calling-Station-ID (i.e. they DO
> NOT
> > have a username and password). We also have a few people who have a
> > username and password as a way of bypassing the Calling-Station-ID
> check.
> > My problem is Radiator expects passwordattr to be defined and insists on
> > checking the username and password with those in ldap and if they don't
> > match it rejects them. Obviously in an environment were we are using the
> > calling-station-id to authenticate the user this is always going to fail
> as
> > they don't supply a username and password!! We have got around this
> problem
> > in a very dirty way by using a PostSearchHook to fool radiator into
> > thinking this is an EAP request (my config file is below). Is there a
> > better way to do this or can the mandatory checking of username and
> > password be removed from radiator? (you also get an LDAP error every
> time
> > the user has no password and it can't find the passwordattr in LDAP)
> >
> > Also, from the config file below, it shows that we check to see if the
> > username and password (the override Calling-Station-ID users) is valid
> > BEFORE we check Calling-Station-ID. As our customers are split approx
> 98%
> > calling-station-id authenticated versus 2% user/pass authenticated this
> is
> > very inefficient resulting in 2 LDAP queries for 98% of users, if we
> could
> > have it the other way around it would be only 1 search for the 98% and 2
> > searches for the 2%.
> >
>
> I think I would add a PreClientHook that would check to see if there is a
> User-Name and User-Password present in the Access-Request, and if not then
> add the Calling-Station-Id as both the User-Name and User-Password.
>
> Then you can add a Handler that checks for a User-Name that is all digits
> and
> uses the appropriate AuthBy clause.
>
> There are some example hooks in the file "goodies/hooks.txt".
>
Ah my fault, when I said the users don't have a username and password that's
not exactly correct. They don't have one for their dialup connection (its
done via CSID) but they do have one for the mail accounts, so users being
users they use those (or some weird derivative that only they know how they
came up with) for their dialup. So I can't check if the username and
password is NULL without calling all the users and saying "Hey, don't put a
username or password in your dialup" which we could of done when we first
started but there are too many users to do that now!!
On the Handler thing, can you have a handler in a handler as I'm production
testing Handlers by NAS-group to implement per-NAS-group session limits?
Ben.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list