[RADIATOR] check-items in chained authby queries

Michael ringo at vianet.ca
Thu Feb 3 13:43:12 CST 2011


your "AuthBy GROUP AuthSQL" will not flow down into  the "AuthBy GROUP AuthHOTP".  I don't think the AuthHOTP will be used at all in this config.

Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
> <AuthBy GROUP>
>          Identifier      AuthSQL
>          AuthByPolicy    ContinueWhileAccept
>          <AuthBy SQL>
>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>                  AuthColumnDef   0, Class, request
>                  AuthColumnDef   1, GENERIC, check
>                  AuthColumnDef   2, GENERIC, check
>          </AuthBy>

# now call the AuthHOTP
	AuthBy AuthHOTP

> </AuthBy GROUP>


Michael


On 11-02-03 02:34 PM, Linuxchuck wrote:
> Hello again,
>
> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided.  If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>
> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups.  I would like for the group check to occur prior to the HOTP check.
>
> Here is my config layout so far:
>
> FYI:  The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>
> <AuthBy GROUP>
>          Identifier      AuthSQL
>          AuthByPolicy    ContinueWhileAccept
>          <AuthBy SQL>
>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>                  AuthColumnDef   0, Class, request
>                  AuthColumnDef   1, GENERIC, check
>                  AuthColumnDef   2, GENERIC, check
>          </AuthBy>
> </AuthBy GROUP>
>
> <AuthBy GROUP>
>          Identifier              AuthHOTP
>          <AuthBy SQLHOTP>
>                  ...
>          </AuthBy>
> </AuthBy GROUP>
>
> <Realm DEFAULT>
>          AuthBy AuthSQL
> </Realm>
>
> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>
> Is there a way to accomplish what I'm after?
>
> Thanks!
>
> Chuck
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>


More information about the radiator mailing list