(RADIATOR) Dynamic selection of authentication module question ?
Markus Moeller
huaraz at moeller.plus.com
Sat Feb 9 12:31:57 CST 2008
Thank you for the feedback. I see how that could work. In my case I think it
would mean all what I do in my LDAPSelect (which is a <AuthBy LDAP2>) needs
to be done in the PreHandler. Does the prehandler have access to the reply
packet too ? I am asking since my LDAP2 sets a reply attribute for use in
the TACACS authorisation with GroupMemberAttr T-GROUP and I wouldn't like
to connect twice to the ldap server.
<AuthBy LDAP2>
..
AuthAttrDef tacacsauthgroup,T-GROUP,reply
..
</AuthBy>
Thank you
Markus
----- Original Message -----
From: "Frank Danielson" <fdanielson at csky.com>
To: <radiator at open.com.au>
Sent: Saturday, February 09, 2008 3:53 PM
Subject: RE: (RADIATOR) Dynamic selection of authentication module question
?
> This can be accomplished using a hook. There is an example of choosing and
> calling an AuthBy module in hooks.txt. Or you can use a PreHandler hook
> in
> your client clause to add an atribute that is used later in choosing a
> Handler.
>
> Here's an over simplified example. You'd have to write something to
> implement the logic that chooses the identifier.
>
> <Client>
> Client config
> # Fake a new attribute into the request
> PreHandlerHook sub { my $identifer=some chooser logic; \
> ${$_[0]}->add_attr('Identifier-Atrribute', $identifier);}
> </Client>
>
> <Handler Identifier-Attribute=local>
> AuthByPolicy ContinueUntilReject
> AuthBy SQLAuthentication
> AuthLog LogAuthentication
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Handler>
>
> <Handler Identifier-Attribute=central>
> AuthByPolicy ContinueUntilReject
> AuthBy PAMAuthentication
> AuthLog LogAuthentication
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Handler>
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> fdanielson at csky.com
>
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz at moeller.plus.com]
> Sent: Saturday, February 09, 2008 9:53 AM
> To: radiator at open.com.au
> Subject: (RADIATOR) Dynamic selection of authentication module question ?
>
>
> Is it possible to select an authentication module more dynamically (e.g.
> depending on the result of a previous module) ?
>
> I was thinking of the following:
>
> <AuthBy PAM>
> Identifier PAMAuthentication
> service radiusd
> </AuthBy>
>
> <AuthBy SQL>
> Identifier SQLAuthentication
> .
> .
> </AuthBy>
>
> <Realm>
> AuthByPolicy ContinueUntilReject
> AuthBy LDAPSelect
> # Now call either AuthBy or pass it again through the correct realm
> section
> AuthBy %{AuthID}
> AuthLog LogAuthentication
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> # or
> Realm %{UserRealm}
> #
> </Realm>
>
> <Realm local.com>
> AuthByPolicy ContinueUntilReject
> AuthBy SQLAuthentication
> AuthLog LogAuthentication
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Realm>
>
> <Realm central.com>
> AuthByPolicy ContinueUntilReject
> AuthBy PAMAuthentication
> AuthLog LogAuthentication
> # Log accounting to the detail file in LogDir
> AcctLogFileName %L/detail
> </Realm>
>
> Usually you would use the realm of a user to decide what to do with <REALM
> userrealm>, but in my case an application can not provide the realm
> details. I can get the realm from an ldap server and can either set a
> variable, add it to the request as an attribute or as a check item.
> The only problem I have is I can not dynamically select the Authentication
> module nor process it via another Handler or Realm statement.
>
> Or can I ?
>
> Thank you
> Markus
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list