(RADIATOR) PostAuthSelectHook conditional execution

Hugh Irvine hugh at open.com.au
Fri Jan 6 16:02:06 CST 2006 

Hello Toomas -

MySQL 5 now supports stored procedures, although its early days I agree.

Your approach is a good one.

regards

Hugh


On 6 Jan 2006, at 21:44, Toomas Kärner wrote:

> Hi Hugh
>
> I'm using MySql, so the stored procedures are out.
> Let me explain where and how I wanted to use it (I have found already
> a workaround, so it's not a problem for me, I just let you know).
> I'm using several AuthBy SQL's that all do AuthSelect. First ones
> "authenticate" the connection from where the user is coming from. It
> also adds connection specific (not user specific) attributes to the
> request. Second AuthBy SQL authenticates the user and it also uses the
> attributes that were added by the first AuthBy for authentication.
> Now imagine if first or second AuthBy AuthSelect gets "Empty Set" from
> database then I always get the same: "AuthBy SQL result: REJECT, No
> such user". This is confusing for HD since they don't know if the user
> made a typo in username or the connection that he/she tried to access
> is not in the database.
> I was hoping to use a PostAuthSelectHook to detect Empty Set as a
> result for AuthSelect and depending on the real use of AuthBy, modify
> Reject reason accordingly ("Connection not found" if it was a  
> connecton
> lookup AuthSelect and "Username not found" if it was username lookup
> AuthSelect).
> Workaround that I made set's up a flag if AuthSelect got something.
> Every AuthSelect has their own flag and in PostAuthHook I can detect
> which AuthSelect failed by detecting which flag is missing.
> Flag is set like this:
> AuthSelect select .....(your old set of attributes...., "1" from ...
> AuthColumnDef ....(your old def's)
> .
> .
> AuthColumnDef n+1, MyConnFoundFlag, request
>
> And in PostAuthHook I use the flags like this:
> my $myconnfoundflag = $p->get_attr('MyConnFoundFlag');
> my $mymessage;
>     if (${$_[2]} == $main::REJECT  )  {
>         &main::log($main::LOG_DEBUG,"Request has been rejected,  
> search for reason.");
>         $_=${$_[3]};
>         if(/No such user/) {
>             if(!($MyConnFoundFlag)){
>                 $mymessage='Connection not found in database';
>             }
>         if ($mymessage) {
>             ${$_[3]}=$mymessage;
>             &main::log($main::LOG_DEBUG,"Found reason: \"$mymessage 
> \" for reject.");
>         }
>     }
>
> Rgds.
> Toomas
>
>
> Friday, January 6, 2006, 9:35:16 AM, you wrote:
>
>> Hello Toomas -
>
>> The PostAuthSelectHook is meant to process the results of the
>> AuthSelect.
>
>> If you always want to run a hook you can use a PostAuthHook or a
>> PostProcessingHook.
>
>> I generally find that it is much more useful to call a stored
>> procedure in the database if I want to do something complex.
>
>> regards
>
>> Hugh
>
>
>> On 6 Jan 2006, at 17:12, Toomas Kärner wrote:
>
>>> Hi,
>>> I have found out that PostAuthSelectHook will NOT be executed if
>>> AuthSelect query returns "Empty set". Is it supposed to be so?
>>> I think this hook could be more powerful if it would be executed
>>> always.
>>> Rgds.
>>> Toomas
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>
>
>> NB:
>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list