(RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check

Markus Moeller huaraz at moeller.plus.com
Wed Feb 27 15:30:20 CST 2008 

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: "Hugh Irvine" <hugh at open.com.au>; <radiator at open.com.au>
Sent: Wednesday, February 27, 2008 7:13 AM
Subject: Re: (RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check


> Hello MArkus,
>
> On Wednesday 27 February 2008 06:43, Markus Moeller wrote:
>> Hugh,
>>
>> find attached two trace files one with the other without 
>> EAPTLS-NoCheckId.
>>
>> >From looking at the source I see the following:
>>
>> If (!EAPTLS-NoCheckId) {
>>
>>           Compare Subject with username, username_nodomain, identity,
>> identity_nodomain.
>>
>>            If match check database (e.g. FILE)
>>
>> }
>>
>>
>> I would have thought the following would make sense too:
>>
>> If (!EAPTLS-NoCheckId) {
>>
>>           Compare Subject with username, username_nodomain, identity,
>> identity_nodomain till one matches.
>>
>>            If match check matched id in database (e.g. FILE)
>>
>> } else {
>>
>>            Check username, username_nodomain, identity, identity_nodomain
>> in database (e.g. FILE) till one matches or reject
>>
>> }
>
> We disagree. The theory is that if EAPTLS-NoCheckId is set, then all the
> client needs is a certificate that is valid when checked against the 
> issuing
> CA.
>

In my case I intended to check user attributes retrieved via LDAP with ceck 
items in a file (which I know I can do via another AuthBy File). So instead 
of

<AuthBy LDAP2>
    Identifier LDAP
    ....
</AuthBy>
<AuthBy FILE>
    Identifier FilewithEAPTLS
    File %D/LDAPcheck
    EAPTLS ....
    EAPTLS_NoCheckId
</AuthBy>

<Handler>
     AuthBy LDAP
     AuthBy FilewithEAPTLS
</Handler>

I need to do:

<AuthBy LDAP2>
    Identifier LDAP
    ....
</AuthBy>
<AuthBy FILE>
    Identifier FilewithEAPTLS
    File %D/Dummy
    EAPTLS ....
    EAPTLS_NoCheckId
</AuthBy>
<AuthBy FILE>
    Identifier FileCheck
    File %D/LDAPcheck
</AuthBy>

<Handler>
     AuthBy LDAP
     AuthBy FilewithEAPTLS
     AuthBy FileCheck
</Handler>


which seemed to me a bit inefficient to have a AuthBy FILE without beeing 
able to use the file for checks. Or is there a more efficient way to do it ?

> Cheers.
>

Thank you
Markus


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list