[RADIATOR] Loading configuration dynamically from SQL database

Heikki Vatiainen hvn at open.com.au
Tue Apr 12 07:42:36 CDT 2011 

On 04/11/2011 05:13 PM, Remco van Noorloos wrote:

> Currently we have 100+ LDAP servers we're authenticating with. So if
> we have to edit the config file in order to make a change that
> wouldn't be manageable for us and is a situation we really like to
> avoid.

That is very understandable.

One way to do this would be to generate automatically all the AuthBys
and then use Include to pull them in Radiator configuration.

> From what I understand the implementation isn't really uniform? Since
> some parameters can be set dynamically and others not?

Most things can be set dynamically so it is uniform in that sense. What
is not uniform is what the lifetime (for the better word) of various
parameters is.

The userid in search parameter varies from request to request, naturally.

AuthDN can be initialised when the first request arrives, but within one
AuthBy LDAP2, the AuthDN stays the same between request so that there is
not a separate bind operation for each request.

Host parameter can be set from a global variable, but that is when
Radiator starts or is reinitialised.

> In addition, when I use the following Handler the same problem
> occurs. In this snippet the 'CONNECTION_ID' is empty, this attribute
> is set in the ' DETERMINE_AUTH_BACKEND' AuthBy as included in my last
> mail.

Try Acct-Session-Id - notice the spelling.

Also, you are using AuthSelect with DETERMINE_AUTH_BACKEND and using
Acct-Session-Id as a part of AuthSelect. Since this select runs by
default for authentication requests, does it have access to
Acct-Session-Id parameter?

You should see from the log what happens. AuthSelect should be formatted
for each request, so %{CONNECTION_ID} should contain the value from the
request.

> <Handler>
>     Identifier AUTH_USER_realmSQL
> 	
> 	#
> 	# Perform SQL authentication
> 	#
>     <AuthBy SQL>
> 		DBSource		dbi:ODBC:DRIVER={SQL Server};SERVER={%{GlobalVar:DB_PMS_SERVER}};DATABASE=%{GlobalVar:DB_PMS_NAME}
> 		DBUsername		%{GlobalVar:DB_PMS_USER}
> 		DBAuth			%{GlobalVar:DB_PMS_PASSWORD}
> 		
> 		AuthSelect 		EXEC spPasswdSelect %{CONNECTION_ID}, %{Quote:%{Acct-Session-ID}}
> 		AuthColumnDef 	0, User-Password, check
> 		AuthColumnDef 	1, CONNECTION_ID, request
>     </AuthBy>
> </Handler>
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list