(RADIATOR) Dynamic selection of authentication module question ?

Markus Moeller huaraz at moeller.plus.com
Sat Feb 9 12:31:57 CST 2008


Thank you for the feedback. I see how that could work. In my case I think it 
would mean all what I do in my LDAPSelect (which is a <AuthBy LDAP2>) needs 
to be done in the PreHandler.  Does the prehandler have access to the reply 
packet too ? I am asking since my LDAP2  sets a reply attribute for use in 
the TACACS authorisation with GroupMemberAttr T-GROUP and I wouldn't  like 
to connect twice to the ldap server.

<AuthBy LDAP2>
..
        AuthAttrDef     tacacsauthgroup,T-GROUP,reply
..
</AuthBy>

Thank you
Markus

----- Original Message ----- 
From: "Frank Danielson" <fdanielson at csky.com>
To: <radiator at open.com.au>
Sent: Saturday, February 09, 2008 3:53 PM
Subject: RE: (RADIATOR) Dynamic selection of authentication module question 
?


> This can be accomplished using a hook. There is an example of choosing and
> calling an AuthBy module in hooks.txt.  Or you can use a PreHandler hook 
> in
> your client clause to add an atribute that is used later in choosing a
> Handler.
>
> Here's an over simplified example. You'd have to write something to
> implement the logic that chooses the identifier.
>
> <Client>
> Client config
> # Fake a new attribute into the request
> PreHandlerHook sub { my $identifer=some chooser logic; \
> ${$_[0]}->add_attr('Identifier-Atrribute', $identifier);}
> </Client>
>
> <Handler Identifier-Attribute=local>
>       AuthByPolicy ContinueUntilReject
>       AuthBy SQLAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Handler>
>
> <Handler Identifier-Attribute=central>
>       AuthByPolicy ContinueUntilReject
>       AuthBy PAMAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Handler>
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> fdanielson at csky.com
>
> -----Original Message-----
> From: Markus Moeller [mailto:huaraz at moeller.plus.com]
> Sent: Saturday, February 09, 2008 9:53 AM
> To: radiator at open.com.au
> Subject: (RADIATOR) Dynamic selection of authentication module question ?
>
>
> Is it possible to select an authentication module more dynamically (e.g.
> depending on the result of a previous module) ?
>
> I was thinking of the following:
>
> <AuthBy PAM>
>        Identifier PAMAuthentication
>        service radiusd
> </AuthBy>
>
> <AuthBy SQL>
>        Identifier SQLAuthentication
>        .
>        .
> </AuthBy>
>
> <Realm>
>        AuthByPolicy ContinueUntilReject
>        AuthBy LDAPSelect
> # Now call either AuthBy or pass it again through the correct realm 
> section
>        AuthBy %{AuthID}
>        AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>        AcctLogFileName %L/detail
> # or
>       Realm %{UserRealm}
> #
> </Realm>
>
> <Realm local.com>
>       AuthByPolicy ContinueUntilReject
>       AuthBy SQLAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Realm>
>
> <Realm central.com>
>       AuthByPolicy ContinueUntilReject
>       AuthBy PAMAuthentication
>       AuthLog LogAuthentication
>        # Log accounting to the detail file in LogDir
>       AcctLogFileName %L/detail
> </Realm>
>
> Usually you would use the realm of a user to decide what to do with <REALM
> userrealm>, but in my case an  application can not provide the realm
> details. I can get the realm from an ldap server and can either set a
> variable, add it to the request as an attribute or as a check item.
> The only problem I have is I can not dynamically select the Authentication
> module nor process it via another Handler or Realm statement.
>
> Or can I ?
>
> Thank you
> Markus
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list