(RADIATOR) Problem mixing AuthBy File and AuthBy SQL
terry at ccis.net
terry at ccis.net
Thu Feb 13 09:32:29 CST 2003
We've been running radiator using unix password authentication. I needed to
add CHAP, and based on input from the list, here's what I did. I took the
original, which looks up users in a file "users2" which contains all the
unique check items (and a default), with "AuthType= "UNIX"". Then the
username/password is checked against a unix-encrypted file, passwd2,
thusly:
--------------------------
# This AuthBy wil be used to authenticate anyting in the
# users2 file with Auth-Type=UNIX by looking in passwd2
<AuthBy UNIX>
Identifier UNIX
Filename %D/passwd2
</AuthBy>
<Handler>
# remove the "@domain" part (if it exists)
RewriteUsername s/^([^@]+).*/$1/
# remove spaces
RewriteUsername s/\s//g
AuthByPolicy ContinueAlways
AcctLogFileName %L/detail
<AuthBy SQL>
# AuthSelect with empty string means dont do auth
AuthSelect
DBSource dbi:mysql:radius:marvin.ccis.net
...blah blah blah...
</AuthBy>
# Make sure they appear in the users2 file
# Anyone with Auth-Type=UNIX in the users2 file will be
# authenticated with the AuthBy UNIX above
<AuthBy FILE>
Filename %D/users2
</AuthBy>
</Handler>
-----------------
Now comes the sticky part.. I thought all I had to do to enable plaintext
passwords (for CHAP) was add another AuthBy in the Handler, which looks up
username/password pairs in a MySQL database:
-----------------
# authenticate from info in the passwd3 (local) database
<AuthBy SQL>
DBSource dbi:mysql:nocol_replication
DBUsername XXXXX
DBAuth XXXXX
AuthSelect select password from passwd3 where username=%0
AuthColumnDef 0, User-Password, check
</AuthBy>
-----------------
..but it occurred to me around 4AM that all the check items that give our
customers static IPs, subnets, and ISDN access, as well as denying access
to email-only users with a "Reject" clause, are back in the old users2
file, which is not referenced in the AuthBy SQL clause. I think I could put
the check items in the database, but that would be very difficult, as the
SQL file is generated by Platypus, and the check items 'users2' are
generated by unix, using a combination of automation and manual exceptions
file, like this:
-----------------
....
ickien Auth-Type = "Reject"
villari Auth-Type = "Reject"
whitfordcc Auth-Type = "Reject"
whs Auth-Type = "Reject"
willson Auth-Type = "Reject"
wjinc Auth-Type = "Reject"
wm Auth-Type = "Reject"
wwwfaddis Auth-Type = "Reject"
wwwfrankelec Auth-Type = "Reject"
#BEGIN AUTO generated ISDN Users - PLAT 02/13/2003 09:46:50
lorri Auth-Type = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 209.195.204.34,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
...
thesignalgw Auth-Type = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 209.195.209.218,
Framed-Netmask = 255.255.255.248,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
...
DEFAULT Auth-Type = "UNIX", NAS-Port-Type = Async
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP...
------------------------------
I guess the question here is: Is there any way I can tell the AuthBy SQL to
fetch the check items from the users2 file, while using it's username and
password fields for the authentication part?
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list