(RADIATOR) Feature Request, Patch attached: AuthBy SQL and PostAuthSelectHook

Hugh Irvine hugh at open.com.au
Wed Nov 24 15:15:31 CST 2004 

Hi Charly -

Many thanks for your contribution (again...).

best regards

Hugh



On 25 Nov 2004, at 02:08, Karl Gaissmaier wrote:

> Hi Mike or Hugh and all Radiator lovers,
>
> we have a big Oracle user database as backend, storing
> account and service data for all our users. If we want to
> block one service for an user (like WLAN access if his Laptop
> is infected with viruses and trojans) we set a flag in the
> database to disable just the WLAN access for this user, still
> providing the e-mail and other services.
>
> AuthSQL isn't smart enough to deal with this until I change
> the table definitions. Even the parameter AuthColumnDef can't
> solve this. Until now I had a really poor workaround with the
> (maybe Oracle specific) SQL function decode():
>
> # trick: return check-item Auth-Type = Accept|Reject
> AuthColumnDef   0, Auth-Type, check
>
> # select service disable flag
> AuthSelect  SELECT decode(sign(disflag), 0, 'Accept', 'Reject')\
>                FROM ....
>
>
> this could be really better done with a PostAuthSelectHook:
>
> AuthColumnDef        0, Auth-Type, check
>
> PostAuthSelectHook   sub { my ($self, $name, $p, $user, $row) = @_; \
>                            my $flag = $row->[0];                    \
>                            $row->[0] = $flag ? 'Reject' : 'Accept'; \
>                           }
>
> with the following hook parameter documentation
> (similar to AuthBy LDAP and PostSerchHook):
>
> 6.29.23 PostAuthSelectHook
>
> This optional parameter allows you to define a Perl function that will 
> be run during the authentication process. The hook will be called 
> after the AuthSelect results have been received, and after Radiator 
> has processed the attributes it is interested in.
>
> The first argument passed to the hook is a handle to the current 
> AuthBy SQL object. The second argument is the name of the user being 
> authenticated. The third argument is a pointer to the current request. 
> The fourth argument is a pointer to the User object being constructed 
> to hold the check and reply items for the user being authenticated.
> The fifth argument ($_[4]) is a reference to the @row resulting from 
> AuthSelect.
>
> (Example missing, goodies missing)
>
> With this PostAuthSelectHook you can use ANY database schema.
> This would be much more powerful than AuthColumnDef since in this
> hook you can rewrite all @row values, add check- reply items
> directly to the user object and much more.
>
> I would appreciate it if you could incorporate this feature
> in the 3.11 patches and the next Radiator release.
>
> Thanks in advance
>     Charly
>
> P.S. really small patch attached
>
> -- 
> Karl Gaissmaier       KIZ/Infrastructure, University of Ulm, Germany
> Email:karl.gaissmaier at kiz.uni-ulm.de           Service Group Network
> Tel.: ++49 731 50-22499
> --- old/AuthSQL.pm	2004-11-24 15:52:46.945153000 +0100
> +++ new/AuthSQL.pm	2004-11-24 15:52:22.327465000 +0100
> @@ -16,6 +16,7 @@
>  %Radius::AuthSQL::ConfigKeywords =
>      ('AccountingTable'       => 'string',
>       'AuthSelect'            => 'string',
> +     'PostAuthSelectHook'    => 'hook',
>       'EncryptedPassword'     => 'flag',
>       'AcctSQLStatement'      => 'stringarray',
>       'AuthSQLStatement'      => 'stringarray',
> @@ -225,6 +226,9 @@
>      {
>  	$user = new Radius::User $name;
>
> +	# Perhaps run a hook to do other things with the SELECT data
> +	$self->runHook('PostAuthSelectHook', $p, $self, $name, $p, $user, 
> \@row);
> +
>  	# If the config has defined how to handle the columns
>  	# in the AuthSelect statement with AuthColumnDef, use
>  	# that to extract check and reply items from
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list