[RADIATOR] check-items in chained authby queries
Michael
ringo at vianet.ca
Thu Feb 3 13:43:12 CST 2011
your "AuthBy GROUP AuthSQL" will not flow down into the "AuthBy GROUP AuthHOTP". I don't think the AuthHOTP will be used at all in this config.
Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
> <AuthBy GROUP>
> Identifier AuthSQL
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
> AuthColumnDef 0, Class, request
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, check
> </AuthBy>
# now call the AuthHOTP
AuthBy AuthHOTP
> </AuthBy GROUP>
Michael
On 11-02-03 02:34 PM, Linuxchuck wrote:
> Hello again,
>
> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided. If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>
> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups. I would like for the group check to occur prior to the HOTP check.
>
> Here is my config layout so far:
>
> FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>
> <AuthBy GROUP>
> Identifier AuthSQL
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
> AuthColumnDef 0, Class, request
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, check
> </AuthBy>
> </AuthBy GROUP>
>
> <AuthBy GROUP>
> Identifier AuthHOTP
> <AuthBy SQLHOTP>
> ...
> </AuthBy>
> </AuthBy GROUP>
>
> <Realm DEFAULT>
> AuthBy AuthSQL
> </Realm>
>
> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>
> Is there a way to accomplish what I'm after?
>
> Thanks!
>
> Chuck
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
More information about the radiator
mailing list