[RADIATOR] evaluating radiator: mixing backends in 1 handler + multiple realms
ronald higgins
ronald.higgins at gmail.com
Fri Apr 23 06:49:47 CDT 2010
Thanks Hugh!
That did the trick!
Just pasting the relevant example for future searches:
#####################################
<AuthBy GROUP>
Identifier Auth_AD_MySQL
AuthByPolicy ContinueWhileAccept
<AuthBy NTLM>
Identifier Auth_AD_MySQL_STAGE1
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
DefaultDomain CONTOSO.LOCAL
UsernameMatchesWithoutRealm
</AuthBy>
<AuthBy SQL>
Identifier Auth_AD_MySQL_STAGE2
DBSource dbi:mysql:radius:localhost:3306
DBUsername radius
DBAuth xxxxxx
AuthSelect select REPLYATTR from SUBSCRIBERS \
where USERNAME='%n' AND STATUS='enabled';
AuthColumnDef 0,REPLYATTR,reply
</AuthBy>
</AuthBy>
#####################################
<Handler Request-Type=Access-Request,Realm=/contoso.local/i>
AuthBy Auth_AD_MySQL
# Log accounting to a detail file
AcctLogFileName %L/detail
</Handler>
#####################################
Best Regards
Ronald Higgins
On Fri, Apr 23, 2010 at 1:00 PM, Hugh Irvine <hugh at open.com.au> wrote:
>
> Hello Ronald -
>
> First question:
>
>
> <Handler Request-Type = Access-Request, Realm = /domain1.com|domain2.com|domain3.com/i>
> .....
> </Handler>
>
>
> second question:
>
>
> <AuthBy GROUP>
>
> Identifier Auth_AD_SQL
>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy NTLM>
>
> Identifier Auth_AD
>
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> DefaultDomain CONTOSO.LOCAL
> UsernameMatchesWithoutRealm
>
> </AuthBy>
>
> <AuthBy SQL>
> .....
> </AuthBy>
>
> </AuthBy>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 23 Apr 2010, at 19:37, ronald higgins wrote:
>
>> Greetings fellow radiator users,
>>
>> I'm hoping the veterans amongst might be able to assist with 2 queries
>> regarding radiator.
>>
>> First question is relatively simple.
>>
>> Can I match mutiple realms within a handler instead of having a
>> handler per realm like below?
>>
>> <Handler Request-Type=Access-Request,Realm=/domain1.com/i>
>> .....
>> </Handler>
>>
>> <Handler Request-Type=Access-Request,Realm=/domain2.com/i>
>> .....
>> </Handler>
>>
>> <Handler Request-Type=Access-Request,Realm=/domain3.com/i>
>> .....
>> </Handler>
>>
>> Second question is of more importance for me though.
>>
>> One of the requirements for one of the realms is authenticating off
>> Active Directory,
>> this portion is working fine using NTLM. However, my requirement is
>> that the Authentication
>> portion happens out of Active Directory but the reply attributes be
>> served out of MySQL.
>> As such, the users in Active Directory are also in a MySQL DB where
>> the actual profile lives.
>> Is there a mechanic to perform a mysql reply attribute lookup after
>> the ntlm_auth?
>>
>> <AuthBy NTLM>
>>
>> Identifier Auth_AD
>>
>> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>> DefaultDomain CONTOSO.LOCAL
>> UsernameMatchesWithoutRealm
>>
>> </AuthBy>
>>
>> Best Regards
>>
>> Ronald Higgins
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
More information about the radiator
mailing list