(RADIATOR) AuthLDAP

Hugh Irvine hugh at open.com.au
Wed Jun 2 19:12:05 CDT 2004 

Hello Riza -

The problem here is that an AuthBy LDAP2 clause will never be called  
for an accounting request (the request is always accepted however no  
processing is done). The only way to do what you describe is to write a  
hook. There are some example hooks in the file "goodies/hooks.txt".

Alternatively you could look up the LDAP attribute when you do the  
authentication and return it in the access accept in the Class  
attribute. The Class attribute will then be included in all subsequent  
accounting requests for the user session.

regards

Hugh


On 3 Jun 2004, at 01:17, Riza Kamalie wrote:

> Hi,
>
>  We currently use a separate handler to deal with accounting stop  
> records and I am having a problem with reading in LDAP attributes into  
> a
>
>  custom auth module <AuthXXXX>, I believe have defined the attributes  
> in the auth module correctly that are used in the config file namely  
> <PrepaidValue>
>
> below is the handler for the stop record and snippet of the test code.
>
>  I would like to manipulate a stop record attribute based on what I  
> find in LDAP for a user.
>
> Please assist,
>
> ----------------------------------------------------------------------- 
> ----------------------------------------------------------------------- 
> --------------------------------------------------
>
> <Handler Acct-Status-Type = "Stop">
>
>         # Convert Upper to lower case
>          # Removes all spaces
>          # Rewrites only username for username with forward/backslash
>
>
>
>         RewriteUsername      tr/A-Z/a-z/
>          RewriteUsername      s/\s+//g
>
>         AuthByPolicy ContinueWhileAccept
>
>        <AuthBy LDAP2>
>                  Host            eldap.worldonline.co.za
>                 HoldServerConnection
>                 NoDefaultIfFound
>                 NoDefault
>
>                 # if ldap search fails backoff for 30 seconds
>                  FailureBackoffTime 30
>
>                 # Added so that Radiator does not have to bind on  
> every reqeust
>                  # NoBindBeforeOp
>
>                 AuthDN uid=xxxx,ou=xxxx,o=WOL,c=xxx
>                 AuthPassword unlink
>
>                 BaseDN ou=xxx,ou=users,o=xxx,c=xxx
>
>                 UsernameAttr    uid
>                  AuthAttrDef radiusauthentication,LDAP_test,reply
>                 AuthAttrDef radiusprepaidvalue,testing,reply
>
>         </AuthBy>
>         <AuthBy XXXXX>
>                  PrepaidValue   %{testing}
>          </AuthBy XXXXX>
>
> ----------------------------------------------------------------------- 
> -------------------------
>
> AuthXXXXX <snippet>
>     elsif ($p->code eq 'Accounting-Request')
>      {
>
>         print "\n\nacccccccccccounting\n\n";
>
> if ($p->getAttrByNum($Radius::Radius::ACCT_STATUS_TYPE) eq 'Stop')
>  {
>          my @a;
>          my $old_item;
>          my $test;
>
>         @a=$p->get_attr('LDAP_test');
>         $old_item=$p->get_attr('RadiusAuthentication');
>         $test=$p->get_attr('testing');
>
>         print "LDAP: @a\n";
>         print "In request: $old_item\n";
>          print "Prep: $test\n";
>
> }
>          $self->log($main::LOG_DEBUG,  
> "Radius::AuthWOLPrepaidAccounting ACCEPT:");
>          return ($main::ACCEPT);
>
> ================================================================
>
>
>
> Radiator foreground output
>
> /usr/bin/perl /usr/bin/radiusd -config_file ./radius-tiscali.cfg  
> -foreground
>
>
>
> cccccccccccounting
>
> LDAP: <EMPTY>
>  In request: analogue
>  Prep: <EMPTY>
>
>
>
>
>
>
> Riza Kamalie
>  Engineering: Specialist: Authentication
>
> TISCALI (PTY) LTD
>  INTERNET WITH A PASSION.
>
> 082 Alexander Road, Bellville
> Mobile : +27 82 520 1129
>  Office :  021 940 9954
>  Fax :    +27 21 940 9103
>  E-Mail : Riza.Kamalie at za.tiscali.com
> http://www.tiscali.co.za
>
> Disclaimer: This email is considered a business record and is  
> therefore property of Tiscali. This email, and any files transmitted  
> with it are confidential and are intended solely for the use of the  
> individual or entity to whom they are addressed. This communication  
> represents the originator's personal views and opinions, which do not  
> necessarily reflect those of Tiscali. If you are not the original  
> recipient or the person responsible for delivering the email to the  
> intended recipient, be advised that you have this email in error, and  
> that any use, dissemination, forwarding, printing, or copying of this  
> email is strictly prohibited. If you received this email in error,  
> please immediately notify disclaimer at za.tiscali.com.
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list