(RADIATOR) Another feature suggestion: profiles via dynamic username lookup for AuthFILE
Valentin Tumarkin
tv at xpert.com
Thu Apr 3 06:04:16 CST 2003
Hi,
While doing work for our clients I very often have to implement a
'profile' scheme for users. ( By 'profile' I mean a named set of
check/reply item definitions that can be assigned to a user
by name)
AuthFILE is ideal for storing profiles, because:
* It's simple to maintain, but still rather powerful
* It has built-in caching
* Doesn't require Radiator reload/HUP on file modification
The only problem is that AuthFILE doesn't do format_special on the
username.
I used to implement this using hooks (a bit of problem if you want to
lookup the profile before you do the actual authentication). I also played
around with modified AuthFILE module.
Now, I think, I found a nice and rather generic solution - modified
AuthGeneric get_user sub. The get_user sub checks if 'UserSearchKey'
parameter was defined, and if so - does dynamic formatting on it and uses
the result for findUser call.
Unfortunately the patch only works for modules that do not overwrite
handle_request, their findUser sub is called by the AuthGeneric's
version of get_user, and their findUser sub uses the username
it got from its call arguments.
As far as I've checked - the patch will be useful for:
AuthCDB.pm
AuthDBFILE.pm
AuthEMERALD4.pm
AuthEMERALD.pm
AuthFILE.pm
AuthNISPLUS.pm
AuthSYSTEM.pm
AuthTEST.pm
AuthUNIX.pm
(please note that actual testing was only done with AuthFILE)
A configuration example and the patch follow.
Also, speaking of profiles, I've written a nice hook for "user belonging to
multiple groups, stored in LDAP" support, and a proof-of-concept generic
caching module. Should I post them ?
##############################################################
##
## config file sample
# Check DNIS Profile
<AuthBy FILE>
Identifier Check_DNIS_Profile
Filename %{GlobalVar:ETCDIR}/dnis_profiles
UserSearchKey %{Called-Station-Id}
# NoDefault
# Nocache
</AuthBy>
# Check Group Profile, using X-Group-Name we got from LDAP
<AuthBy FILE>
Identifier Check_Group_Profile
Filename %{GlobalVar:ETCDIR}/group_profiles
UserSearchKey %{X-Group-Name}
# NoDefault
# Nocache
</AuthBy>
<AuthBy LDAP2>
# Map user group profile name LDAP attribute to the
# X-Group-Name attribute in RADIUS Request packet
</AuthBy>
# Do DNIS Profile, then LDAP Auth, then User Group Profile
<Handle X-Some-Wierd-Attribute=Z >
AuthByPolicy ContinueWhileAccept
AuthBy Check_DNIS_Profile
AuthBy MyLDAPAuth
AuthBy Check_Group_Profile
</Handler>
##############################################################
# 'dnis_profiles' file:
# The key is Called-Station-Id
5550001 Realm = /^(foo|bar)$/,Auth-Type=MyAuth1
Reply-Message="using cascading auth 1"
5550002 Client-Identifier = /Cisco/
cisco-avpair = "some cisco av"
Reply-Message="you are using Cisco NAS"
# If you want the module to 'ACCEPT' undefined cases - use 'DEFAULT'
DEFAULT
##############################################################
# 'group_profiles' file
# The key is X-Group-Name
group1
Reply-Message="You are in group1"
group2
Reply-Message="You are in group2"
## END Examples
##############################################################
##
## The patch for AuthGeneric.pm
# In the %Radius::AuthGeneric::ConfigKeywords add:
'UserSearchKey' => 'string',
# In the 'sub get_user', before the findUser while loop
# Allow to search for user using RADIUS
# Request attribute (or combination) other then User-Name
# Valentin Tumarkin / Xpert 2003/04/03
my $orig_user_name = $user_name;
if ( $self->{UserSearchKey} ) {
$user_name = &Radius::Util::format_special
($self->{UserSearchKey},
$p, undef,
$orig_user_name);
$self->log($main::LOG_DEBUG, "Using dynamic user key '$user_name' in auth of '$orig_user_name' with $type'", $p);
}
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list