(RADIATOR) about Auth bySYSTEM
Hugh Irvine
hugh at open.com.au
Wed Oct 10 18:22:46 CDT 2001
Hello Jesús -
I am not completely clear on what you want to do, but here are some
suggestions on using cascaded AuthBy clauses:
# define AuthBy clauses
<AuthBy SYSTEM>
Identifier CheckSystem
.....
</AuthBy>
<AuthBy FILE>
Identifier CheckPrivileges
Filename %D/privilegios
.....
</AuthBy>
# define Realm(s)
<Realm XXX>
RewriteUsername s/^([^@]+).*/$1/
AuthBy CheckPrivileges
.....
</Realm>
The file %D/privilegios would contain something like this:
# define users privileges
# NB - the first line is the check items starting in column 1
# and the second and following lines starting with white space
# are the reply items
DEFAULT NAS-Identifier = nnnn, Auth-Type = CheckSystem
Service-Type = Administrative-User
DEFAULT NAS-Identifier = "", Auth-Type = CheckSystem, Group = 1000
Service-Type = Login-User,
cisco-avpair = "shell:priv-lvl=5"
If you have any further questions, please ask.
regards
Hugh
On Wednesday 10 October 2001 19:19, Jesús M Díaz wrote:
> Hi all,
>
> i want to authenticate some of my remote user against the unix system
> method. i put at my config file:
>
> <Realm XXX>
> AuthByPolicy ContinueWhileAccept
> SessionDatabase RADONLINE
> AcctLogFileName %L/logfile
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy SYSTEM>
> </AuthBy>
> <AuthBy FILE>
> DynamicCheck NAS-Identifier
> DynamicCheck Group
> Filename %D/privilegios
> </AuthBy>
> </Realm>
>
>
> the file 'privilegios' contains:
>
> DEFAULT NAS-Identifier = %N
> Service-Type = Administrative-User
>
> DEFAULT NAS-Identifier = "", Group = 1000
> Service-Type = Login-User,
> cisco-avpair = "shell:priv-lvl=5"
>
>
> but whe Radiator recives an access-request for one of that users, it
> denies the access and log:
>
> "20011008160221. WARNING: This AuthBy does not know how to check
> Group membership"
>
> i look to the AuthSYSTEM.pm module, and i can see that the routine
> knows all data about the user ($name, $passwd, $uid, $gid, $quota,
> $comment, $gcos, $dir, $shell), but it only grab as an attribute the
> expiration date if exists. why?
>
> i have tried to add as an attribute the gid, whit the line
> "$user->get_check->add_attr('Group', $gid);", but now, when Radiatos
> gets a request for the user, it logs denies and logs:
>
> 20011008163130. DEBUG: Rewrote user name to user at realm
> 20011008163130. DEBUG: Handling request with Handler 'Realm=realm'
> 20011008163130. DEBUG: Rewrote user name to user
> 20011008163130. DEBUG: RADonline Deleting session for user at realm,
> a.b.c.d, 2
> 20011008163130. DEBUG: do query is: delete from RADONLINE where
> NASIDENTIFIER='a.b.c.d' and NASPORT=02
> 20011008163130. DEBUG: Handling with Radius::AuthSYSTEM
> 20011008163130. DEBUG: getpwnam got user, crypt_pass, uid, gid, , , ,
> homedir, shell,
> 20011008163130. DEBUG: Radius::AuthSYSTEM looks for match with user
> 20011008163130. DEBUG: Radius::AuthSYSTEM REJECT: User user is not in
> Group 1000
> 20011008163130. INFO: Access rejected for jesusm: User user is not in
> Group 1000
>
> where is the problem? do you understand my question?
>
> thanks in advance
>
>
>
> Jesus M Diaz <jesus.diaz at telia-iberia.com>
>
> ONO Service Provider
> Planificación y Diseño de Red
> Tfno: +34 91 623 2909
> Fax: +34 91 623 2911
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list