(RADIATOR) Dynamic selection of authentication module questio n ?

Frank Danielson fdanielson at csky.com
Sat Feb 9 09:53:37 CST 2008 

This can be accomplished using a hook. There is an example of choosing and
calling an AuthBy module in hooks.txt.  Or you can use a PreHandler hook in
your client clause to add an atribute that is used later in choosing a
Handler.

Here's an over simplified example. You'd have to write something to
implement the logic that chooses the identifier. 

<Client>
Client config
# Fake a new attribute into the request
PreHandlerHook sub { my $identifer=some chooser logic; \
	${$_[0]}->add_attr('Identifier-Atrribute', $identifier);}
</Client>

<Handler Identifier-Attribute=local>
       AuthByPolicy ContinueUntilReject
       AuthBy SQLAuthentication
       AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
       AcctLogFileName %L/detail
</Handler>

<Handler Identifier-Attribute=central>
       AuthByPolicy ContinueUntilReject
       AuthBy PAMAuthentication
       AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
       AcctLogFileName %L/detail
</Handler>

Frank Danielson
Infrastructure Architect

ClearSky Mobile Media
56 E. Pine St.
Orlando, FL 32801
USA

fdanielson at csky.com

-----Original Message-----
From: Markus Moeller [mailto:huaraz at moeller.plus.com]
Sent: Saturday, February 09, 2008 9:53 AM
To: radiator at open.com.au
Subject: (RADIATOR) Dynamic selection of authentication module question ?


Is it possible to select an authentication module more dynamically (e.g.
depending on the result of a previous module) ?

I was thinking of the following:

<AuthBy PAM>
        Identifier PAMAuthentication
        service radiusd
</AuthBy>

<AuthBy SQL>
        Identifier SQLAuthentication
        .
        .
</AuthBy>

<Realm>
        AuthByPolicy ContinueUntilReject
        AuthBy LDAPSelect
# Now call either AuthBy or pass it again through the correct realm  section
        AuthBy %{AuthID}
        AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
        AcctLogFileName %L/detail
# or
       Realm %{UserRealm}
#
</Realm>

<Realm local.com>
       AuthByPolicy ContinueUntilReject
       AuthBy SQLAuthentication
       AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
       AcctLogFileName %L/detail
</Realm>

<Realm central.com>
       AuthByPolicy ContinueUntilReject
       AuthBy PAMAuthentication
       AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
       AcctLogFileName %L/detail
</Realm>

Usually you would use the realm of a user to decide what to do with <REALM
userrealm>, but in my case an  application can not provide the realm
details. I can get the realm from an ldap server and can either set a
variable, add it to the request as an attribute or as a check item. 
The only problem I have is I can not dynamically select the Authentication
module nor process it via another Handler or Realm statement.

Or can I ?

Thank you
Markus

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list