(RADIATOR) When dealing with a fair bit of logic in the authentification procedure

Wed Aug 3 20:21:18 CDT 2005

Hello Matt -

I suggest you consider using a hook to implement your logic (probably  
a PostAuthHook).

See the examples in "goodies/hooks.txt".

regards

Hugh

On 4 Aug 2005, at 10:31, Matthew Lohier wrote:

> Hi Hugh,
>
>
>
> I’m running Radiator-3.13 on linux, and I’m in the process of  
> implementing an authentification procedure with Radiator. Our  
> procedure -or procedures I must say- are quite complex and involve  
> quite a lot of logic.
>
> They take:
>
> -          2 LDAP queries,
>
> -          6 to 8 logical expressions ( if() ) mostly based on the  
> returned attributes from the ldap queries.
>
>
>
> I have so far developed a prototype using AuthBy EXTERNAL based on  
> a perl script that handle the logic and queries the LDAP servers.  
> It’s working well (using radpwtst, single-shot test case) but I’m  
> not sure how good it’s going to perform in a real environment.
>
>
>
> I have read the bit about Fork config parameter. I will experience  
> both configurations.
>
>
>
> Is there any other alternative than AuthBy EXTERNAL that could  
> handle all the logic we need. Of course AuthBy LDAP2 works well to  
> perform a LDAP query but then it does not give me the necessary  
> logic I think.
>
>
>
> I’ve included a pseudo-code to give you some indication on what I’m  
> trying to achieve.
>
>
>
> Procedure:
>
> The Access-Request issued to Radius includes parm1, parm2 and param3.
>
> 1/ LDAP1 query based on param1
>
> 2/ If no entry Access-Reject is returned.
>
> 3/ If reply1-attribute1 == 3, we need to match reply1-attribute2  
> with param2.
>
> 4/ If the matching fails Access-Reject is returned.
>
> 5/ LDAP2 query
>
> 6/ If no entry a pre-configured action is returned (Access-Accept  
> or Access-Reject).
>
> 7/ If entry is found, reply2-attribute1 is tested
>
> 8/ If reply2-attribute1 == 1 Accept-Reject is returned.
>
> 9/ If reply1-attribute1 == 2, regular expression must match with parm3
>
> 10/ If they don’t match, Access-Reject is returned.
>
> 11/ Access-Accept is returned with other reply-attributes
>
>
>
> I guess I’d like to be sure that AuthBy EXTERNAL is the way to go  
> in this case, or otherwise be given some new directions.
>
>
>
> Thanks for your reply, best regards / Matt
>
>
>
>
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.