(RADIATOR) Another feature suggestion: profiles via dynamic username lookup for AuthFILE

Hugh Irvine hugh at open.com.au
Fri Apr 4 22:25:18 CST 2003


Hello Valentin -

We have recently added an "AuthenticateAttribute" parameter which 
allows you to specify a different attribute to use other than 
"User-Name", and we have also added generic caching of user database 
lookups. Perhaps you could check the latest Radiator 3.5 patches and 
let us know if these are what you are looking for (check the history 
file "doc/history.html").

As always we are more than happy to receive suggestions, patches, hooks 
and whatever for inclusion in the distribution.

Many thanks for your support.

regards

Hugh


On Thursday, Apr 3, 2003, at 22:04 Australia/Melbourne, Valentin 
Tumarkin wrote:

>
>   Hi,
>
> While doing work for our clients I very often have to implement a
> 'profile'  scheme for users. ( By 'profile' I mean a  named set of
> check/reply item definitions that can be assigned to a user
> by name)
>
> AuthFILE is ideal for storing profiles, because:
>
> * It's simple to maintain, but still rather powerful
> * It has built-in caching
> * Doesn't require Radiator reload/HUP on file modification
>
> The only problem is that AuthFILE doesn't do format_special on the
> username.
>
> I used to implement this using hooks (a bit of problem if you want to
> lookup the profile before you do the actual authentication). I also 
> played
> around with modified AuthFILE module.
>
> Now, I think, I found a nice and rather generic solution - modified
> AuthGeneric get_user sub. The get_user sub checks if 'UserSearchKey'
> parameter was defined, and if so - does dynamic formatting on it and 
> uses
> the result for findUser call.
>
> Unfortunately the patch only works for modules that do not overwrite
> handle_request, their findUser sub is called by the AuthGeneric's
> version of get_user, and their findUser sub uses the username
> it got from its call arguments.
>
> As far as I've checked - the patch will be useful for:
>
> AuthCDB.pm
> AuthDBFILE.pm
> AuthEMERALD4.pm
> AuthEMERALD.pm
> AuthFILE.pm
> AuthNISPLUS.pm
> AuthSYSTEM.pm
> AuthTEST.pm
> AuthUNIX.pm
> (please note that actual testing was only done with AuthFILE)
>
>
> A configuration example and the patch follow.
>
>
> Also, speaking of profiles, I've written a nice hook for "user 
> belonging to
> multiple groups, stored in LDAP" support, and a proof-of-concept 
> generic
> caching module. Should I post them ?
>
>
> ##############################################################
> ##
> ## config file sample
>
> # Check DNIS Profile
> <AuthBy FILE>
>         Identifier      Check_DNIS_Profile
>         Filename        %{GlobalVar:ETCDIR}/dnis_profiles
>         UserSearchKey   %{Called-Station-Id}
>         # NoDefault
>         # Nocache
> </AuthBy>
>
> # Check Group Profile, using X-Group-Name we got from LDAP
> <AuthBy FILE>
>         Identifier      Check_Group_Profile
>         Filename        %{GlobalVar:ETCDIR}/group_profiles
>         UserSearchKey   %{X-Group-Name}
>         # NoDefault
>         # Nocache
> </AuthBy>
>
> <AuthBy LDAP2>
> 	# Map user group profile name LDAP attribute to the
> 	# X-Group-Name attribute in RADIUS Request packet
> </AuthBy>
>
> # Do DNIS Profile, then LDAP Auth, then User Group Profile
> <Handle X-Some-Wierd-Attribute=Z >
>         AuthByPolicy ContinueWhileAccept
>         AuthBy  Check_DNIS_Profile
>         AuthBy  MyLDAPAuth
>         AuthBy  Check_Group_Profile
> </Handler>
>
> ##############################################################
> # 'dnis_profiles' file:
> # The key is Called-Station-Id
> 5550001	Realm = /^(foo|bar)$/,Auth-Type=MyAuth1
> 	Reply-Message="using cascading auth 1"
>
> 5550002	Client-Identifier = /Cisco/
> 	cisco-avpair = "some cisco av"
> 	Reply-Message="you are using Cisco NAS"
>
> # If you want the module to 'ACCEPT' undefined cases - use 'DEFAULT'
> DEFAULT
>
> ##############################################################
> # 'group_profiles' file
> # The key is X-Group-Name
> group1	
> 	Reply-Message="You are in group1"
>
> group2
> 	Reply-Message="You are in group2"
>
> ## END Examples
>
> ##############################################################
> ##
> ## The patch for AuthGeneric.pm
>
> # In the %Radius::AuthGeneric::ConfigKeywords add:
>        'UserSearchKey'		   => 'string',
>
>  	
> # In the 'sub get_user', before the findUser while loop
>  	# Allow to search for user using RADIUS
>  	# Request attribute (or combination) other then User-Name
>  	# Valentin Tumarkin / Xpert   2003/04/03
>  	my $orig_user_name = $user_name;
>  	if ( $self->{UserSearchKey} ) {
>  		$user_name = &Radius::Util::format_special
>  			($self->{UserSearchKey},
>  		 	$p, undef,
>  		 	$orig_user_name);
>  		$self->log($main::LOG_DEBUG, "Using dynamic user key '$user_name' 
> in auth of '$orig_user_name' with $type'", $p);
>  	}
>  	
>  	
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list