(RADIATOR) Authby policy question.
Hugh Irvine
hugh at open.com.au
Mon Oct 15 20:04:18 CDT 2001
Hello Josh -
On Tuesday 16 October 2001 10:06, Ward, Josh wrote:
> Here is my config for the authentication for the 'free modem services' at
> my university. (see below)
>
> I have a table that I'm creating through AuthbySQL that calculates the
> session times and then when users cross over their timelimit, are inserted
> into my 'overtime' table in SQL with a bogus password. I was assuming that
> if someone didn't have an entry in the database that Authby SQL would
> return an ignore, not a reject. This is not the case and this has fowled
> up my authentication scheme. I was going to have the users over their time
> rejected by that first AuthBy (why I insert a bogus password), then the
> other users authenticated properly with the other authby's using a
> AuthByPolicy ContinueWhileIgnore. Like I said, it's not working because
> AuthBy SQL is rejecting people not in the database.
>
> Is there anyone who has done anything similar to this?
>
> I just want to pick people off with the first one, and if they are not
> found, keep looking. If they had a bad password, then stop looking. Seems
> simple enough :-)
>
Try this:
Add an entry into your "overtime" table like this:
DEFAULT with a Null password (which will always accept).
Then add a "NoDefaultIfFound" in the AuthBy SQL clause, and change the
AuthByPolicy to ContinueWhileAccept.
<Handler> #Free modems
AuthByPolicy ContinueWhileAccept
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
<AuthBy SQL>
Identifier FreeModemService_OVERTIME
DBSource dbi:mysql:modems
DBUsername ----------
DBAuth ----------
NoDefaultIfFound
AuthSelect SELECT pw FROM overtime WHERE login='%n'
AuthColumnDef 0, User-Password, check
</AuthBy>
<AuthBy FILE>
Identifier FreeModemService_File
Filename /etc/radius/free_users
</AuthBy>
<AuthBy LDAP2>
Identifier FreeModemService_LDAP
Host directory.csuchico.edu
AuthDN ---------
AuthPassword ---------
BaseDN o=California State University Chico,c=US
UsernameAttr uid
PasswordAttr userpassword
AuthAttrDef modemservicetype, X-User-MST, request
PostSearchHook sub {\
my $attr = $_[4]->get_value('modemservicetype');\
if ($attr & 1) {\
$_[3]->get_check->add_attr('X-User-MST',\
$attr); \
}\
else { \
$_[3]->get_check->add_attr('X-User-MST',\
'Denied: wrong modem service type'); \
}\
}
</AuthBy>
</Handler>
Note that you may also need to use an AuthBy GROUP, as it is not clear from
the above what should happen with the AuthBy FILE and the AuthBy LDAP2.
If you have any other questions, please ask.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list