[RADIATOR] check-items in chained authby queries
Michael
ringo at vianet.ca
Thu Feb 3 13:45:55 CST 2011
Actually, probably nicer to understand, and easier to look at if you clean it up like this:
# configure AuthSQL
<AuthBy GROUP>
Identifier AuthSQL
<AuthBy SQL>
GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, Class, request
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, check
</AuthBy>
</AuthBy GROUP>
# configure AuthHOTP
<AuthBy GROUP>
Identifier AuthHOTP
<AuthBy SQLHOTP>
...
</AuthBy>
</AuthBy GROUP>
# configure authentication process
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
AuthBy AuthSQL
AuthBy AuthHOTP
</Realm>
On 11-02-03 02:43 PM, Michael wrote:
>
> your "AuthBy GROUP AuthSQL" will not flow down into the "AuthBy GROUP AuthHOTP". I don't think the AuthHOTP will be used at all in this config.
>
> Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
>> <AuthBy GROUP>
>> Identifier AuthSQL
>> AuthByPolicy ContinueWhileAccept
>> <AuthBy SQL>
>> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>> AuthColumnDef 0, Class, request
>> AuthColumnDef 1, GENERIC, check
>> AuthColumnDef 2, GENERIC, check
>> </AuthBy>
>
> # now call the AuthHOTP
> AuthBy AuthHOTP
>
>> </AuthBy GROUP>
>
>
> Michael
>
>
> On 11-02-03 02:34 PM, Linuxchuck wrote:
>> Hello again,
>>
>> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided. If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>>
>> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups. I would like for the group check to occur prior to the HOTP check.
>>
>> Here is my config layout so far:
>>
>> FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>>
>> <AuthBy GROUP>
>> Identifier AuthSQL
>> AuthByPolicy ContinueWhileAccept
>> <AuthBy SQL>
>> GroupMembershipQuery SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>> AuthColumnDef 0, Class, request
>> AuthColumnDef 1, GENERIC, check
>> AuthColumnDef 2, GENERIC, check
>> </AuthBy>
>> </AuthBy GROUP>
>>
>> <AuthBy GROUP>
>> Identifier AuthHOTP
>> <AuthBy SQLHOTP>
>> ...
>> </AuthBy>
>> </AuthBy GROUP>
>>
>> <Realm DEFAULT>
>> AuthBy AuthSQL
>> </Realm>
>>
>> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>>
>> Is there a way to accomplish what I'm after?
>>
>> Thanks!
>>
>> Chuck
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
More information about the radiator
mailing list