[RADIATOR] check-items in chained authby queries
Linuxchuck
linuxchuck at n-force.com
Thu Feb 3 13:34:48 CST 2011
Hello again,
I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided. If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups. I would like for the group check to occur prior to the HOTP check.
Here is my config layout so far:
FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
<AuthBy GROUP>
Identifier AuthSQL
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, Class, request
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, check
</AuthBy>
</AuthBy GROUP>
<AuthBy GROUP>
Identifier AuthHOTP
<AuthBy SQLHOTP>
...
</AuthBy>
</AuthBy GROUP>
<Realm DEFAULT>
AuthBy AuthSQL
</Realm>
I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
Is there a way to accomplish what I'm after?
Thanks!
Chuck
More information about the radiator
mailing list