[RADIATOR] Loading configuration dynamically from SQL database

Remco van Noorloos rvannoorloos at proxsys.nl
Mon Apr 11 09:13:59 CDT 2011


Hello Heikki,

Currently we have 100+ LDAP servers we're authenticating with. So if we have to edit the config file in order to make a change that wouldn't be manageable for us and is a situation we really like to avoid.

>From what I understand the implementation isn't really uniform? Since some parameters can be set dynamically and others not?

In addition, when I use the following Handler the same problem occurs. In this snippet the 'CONNECTION_ID' is empty, this attribute is set in the ' DETERMINE_AUTH_BACKEND' AuthBy as included in my last mail.

<Handler>
    Identifier AUTH_USER_realmSQL
	
	#
	# Perform SQL authentication
	#
    <AuthBy SQL>
		DBSource		dbi:ODBC:DRIVER={SQL Server};SERVER={%{GlobalVar:DB_PMS_SERVER}};DATABASE=%{GlobalVar:DB_PMS_NAME}
		DBUsername		%{GlobalVar:DB_PMS_USER}
		DBAuth			%{GlobalVar:DB_PMS_PASSWORD}
		
		AuthSelect 		EXEC spPasswdSelect %{CONNECTION_ID}, %{Quote:%{Acct-Session-ID}}
		AuthColumnDef 	0, User-Password, check
		AuthColumnDef 	1, CONNECTION_ID, request
    </AuthBy>
</Handler>

Remco

-----Oorspronkelijk bericht-----
Van: Heikki Vatiainen [mailto:hvn at open.com.au] 
Verzonden: maandag 11 april 2011 14:44
Aan: Remco van Noorloos
CC: radiator at open.com.au
Onderwerp: Re: [RADIATOR] Loading configuration dynamically from SQL database

On 04/11/2011 11:42 AM, Remco van Noorloos wrote:

Hello Remco,

> I've tried your suggestion and I managed to get some variables dynamically from an SQL database. 
> 
> When I try AuthColumnDef twice in two different AuthBy SQL's it doesn't seem to work though. The 'AUTH_BACKEND' and 'CONNECTION_ID' are working properly. When Radiator reaches the AuthBy LDAP2 it tries to connect with LDAP to 'LDAP_SERVER'. The value of this attribute isn't set and therefore Radiator is unable to authenticate against the Active Directory. The query in AuthSelect is returning correct values though. 
> 
> Is it not possible to use AuthColumnDef twice or something? I tried different configurations with the Authby's outside an Handler as well.

Using AuthColumnDef twice is fine and normal way to do things.

I also tried creating a configuration for dynamic AuthBy LDAP2s and
noticed that some things may not be possible with current LDAP2 AuthBy.
For example AuthDN is used for binding and this binding likes to stay
with the object that is created from AuthBy LDAP2 clause. The object is
created when Radiator initialises during startup.

In other words, my test and closer look at the code shows that while
some things are dynamic, others are initialised from the first request
that arrives or only after an error occurs. Additionally, Host
especially seems to be something that is not currently evaluated in
packet context. This means that even if formatting characters are
available, variables from the request are not.

About your configuration: how many combinations for
LDAP servers and AuthDNs do you have? If you would need to list all LDAP
servers and their AuthDNs would this be feasible?

Yours,
Heikki


> The current configuration is as follows:
> 
> ---
> 
> LogDir		C:\Program Files\Radiator\logs
> LogFile		%L\%Y%m%d-%H00-radius.log
> DbDir		C:\Progam Files\Radiator
> DictionaryFile C:\Program Files\Radiator\dictionary
> 
> Trace 		5
> 
> <Client DEFAULT>
> 	Secret			mysecret
> 	DupInterval 	0
> </Client>
> 
> <AuthBy SQL>
> 	Identifier 	DETERMINE_AUTH_BACKEND
> 	
> 	DBSource	dbi:ODBC:DRIVER={SQL Server};SERVER={localhost};DATABASE=dbPMS
> 	DBUsername	sa_pmsuser
> 	DBAuth		123pms
> 	
> 	AuthSelect	EXEC spGetAuthenticationSource %0, %{Quote:%{NAS-Port-Type}}, %{Quote:%{Service-Type}}, %{Quote:%{Acct-Sess-ID}}
> 	
> 	AuthColumnDef 0, AUTH_BACKEND, request
> 	AuthColumnDef 1, CONNECTION_ID, request
> </AuthBy>
> 
> 
> <Handler>
> 	AuthByPolicy ContinueWhileAccept
> 	
> 	<AuthBy GROUP>
>         AuthByPolicy 	ContinueUntilAccept
>         AuthBy 			DETERMINE_AUTH_BACKEND
>     </AuthBy>
>     <AuthBy HANDLER>
>         HandlerId 		AUTH_USER_%{AUTH_BACKEND}
>     </AuthBy>
>     #AuthBy sql-add-reply-attributes
> 
> </Handler>
> 
> <Handler>
>     Identifier AUTH_USER_realmLDAP
> 	
> 	AuthByPolicy ContinueWhileAccept
> 	
> 	<AuthBy SQL>
> 		DBSource	dbi:ODBC:DRIVER={SQL Server};SERVER={localhost};DATABASE=dbPMS
> 		DBUsername	sa_pmsuser
> 		DBAuth		123pms
> 		
> 		AuthSelect	EXEC spLDAPGetProperties %0, %{CONNECTION_ID}
> 		
> 		AuthColumnDef 0, LDAP_SERVER, request
> 		AuthColumnDef 1, LDAP_AUTHDN, request
> 		AuthColumnDef 2, LDAP_AUTHPASSWORD, request
> 		AuthColumnDef 3, LDAP_BASEDN, request
> 		AuthColumnDef 4, LDAP_SEARCH_FILTER, request
> 	</AuthBy>
> 	<AuthBy LDAP2>
> 		Host			%{LDAP_SERVER}
> 		
> 		AuthDN			%{LDAP_AUTHDN}
> 		AuthPassword	%{LDAP_AUTHPASSWORD}
> 
> 		BaseDN			%{LDAP_BASEDN}
> 
> 		SearchFilter 	(&(userPrincipalName=%1)(memberOf=%{LDAP_SEARCH_FILTER}))
> 
> 		ServerChecksPassword
> 		
> 		HoldServerConnection
> 		  
> 		#Debug 255
> 
> 		Timeout 		10
> 		FailureBackoffTime 1
> 
> 		Version 		3
> 	</AuthBy>
> 	
> </Handler>
> 
> ---
> 
> Logging:
> 
> ---
> 
> Code:       Access-Request
> Identifier: 71
> Authentic:  <245><135><138>2<21><143>'<136><169><201><134>}<251><24>@<246>
> Attributes:
> 	User-Name = "rvannoorloos at proxsys.net"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	User-Password = <158><252>xt"cP<217><217><197><4><229><208>-<6>;
> 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling request with Handler '', Identifier ''
> Mon Apr 11 10:02:41 2011: DEBUG:  Deleting session for rvannoorloos at proxsys.net, 203.63.154.1, 1234
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthGROUP: 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: DETERMINE_AUTH_BACKEND
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: DETERMINE_AUTH_BACKEND
> Mon Apr 11 10:02:41 2011: DEBUG: Query is: 'EXEC spGetAuthenticationSource 'rvannoorloos at proxsys.net', 'Async', 'Framed-User', ''': 
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL looks for match with rvannoorloos at proxsys.net [rvannoorloos at proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL ACCEPT: : rvannoorloos at proxsys.net [rvannoorloos at proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthGROUP: DETERMINE_AUTH_BACKEND result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthHANDLER: 
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy HANDLER is redirecting to Handler 'AUTH_USER_realmLDAP'
> Mon Apr 11 10:02:41 2011: DEBUG: Handling request with Handler '', Identifier 'AUTH_USER_realmLDAP'
> Mon Apr 11 10:02:41 2011: DEBUG:  Deleting session for rvannoorloos at proxsys.net, 203.63.154.1, 1234
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> Mon Apr 11 10:02:41 2011: DEBUG: Query is: 'EXEC spLDAPGetProperties 'rvannoorloos at proxsys.net', 369': 
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL looks for match with rvannoorloos at proxsys.net [rvannoorloos at proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL ACCEPT: : rvannoorloos at proxsys.net [rvannoorloos at proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy SQL result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> Mon Apr 11 10:02:41 2011: INFO: Connecting to :389
> Mon Apr 11 10:02:41 2011: ERR: Could not open LDAP connection to :389. Backing off for 1 seconds.
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy HANDLER result: IGNORE, User database access error


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list