[RADIATOR] check-items in chained authby queries

Linuxchuck linuxchuck at n-force.com
Thu Feb 3 14:16:23 CST 2011


Michael,
Unfortunately, I need it to be a bit more dynamic.  I have both HOTP and DIGIPASS tokens in use, and the type of token authentication to use is selected by providing an authtype identifier in the username database.  Instead of forcing the server to try both HOTP and DIGIPASS, I can save a few cycles by pre-defining on a per-user basis exactly which token to use.

However, I will certainly plug this config layout into my eval system, and at least make sure that the group check still happens.

Thanks,
Chuck


On 02/03/2011 01:45 PM, Michael wrote:
> 
> Actually, probably nicer to understand, and easier to look at if you clean it up like this:
> 
> 
> # configure AuthSQL
>  <AuthBy GROUP>
>            Identifier      AuthSQL
>            <AuthBy SQL>
>                    GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>                    AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>                    AuthColumnDef   0, Class, request
>                    AuthColumnDef   1, GENERIC, check
>                    AuthColumnDef   2, GENERIC, check
>            </AuthBy>
>  </AuthBy GROUP>
> 
> # configure AuthHOTP
>  <AuthBy GROUP>
>            Identifier              AuthHOTP
>            <AuthBy SQLHOTP>
>                    ...
>            </AuthBy>
>  </AuthBy GROUP>
> 
> # configure authentication process
>  <Realm DEFAULT>
>            AuthByPolicy    ContinueWhileAccept
>            AuthBy AuthSQL
>            AuthBy AuthHOTP
>  </Realm>
> 
> 
> 
> 
> 
> 
> 
> On 11-02-03 02:43 PM, Michael wrote:
>>
>> your "AuthBy GROUP AuthSQL" will not flow down into  the "AuthBy GROUP AuthHOTP".  I don't think the AuthHOTP will be used at all in this config.
>>
>> Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
>>> <AuthBy GROUP>
>>>           Identifier      AuthSQL
>>>           AuthByPolicy    ContinueWhileAccept
>>>           <AuthBy SQL>
>>>                   GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>                   AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>                   AuthColumnDef   0, Class, request
>>>                   AuthColumnDef   1, GENERIC, check
>>>                   AuthColumnDef   2, GENERIC, check
>>>           </AuthBy>
>>
>> # now call the AuthHOTP
>>     AuthBy AuthHOTP
>>
>>> </AuthBy GROUP>
>>
>>
>> Michael
>>
>>
>> On 11-02-03 02:34 PM, Linuxchuck wrote:
>>> Hello again,
>>>
>>> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided.  If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>>>
>>> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups.  I would like for the group check to occur prior to the HOTP check.
>>>
>>> Here is my config layout so far:
>>>
>>> FYI:  The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>>>
>>> <AuthBy GROUP>
>>>           Identifier      AuthSQL
>>>           AuthByPolicy    ContinueWhileAccept
>>>           <AuthBy SQL>
>>>                   GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>>                   AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>>                   AuthColumnDef   0, Class, request
>>>                   AuthColumnDef   1, GENERIC, check
>>>                   AuthColumnDef   2, GENERIC, check
>>>           </AuthBy>
>>> </AuthBy GROUP>
>>>
>>> <AuthBy GROUP>
>>>           Identifier              AuthHOTP
>>>           <AuthBy SQLHOTP>
>>>                   ...
>>>           </AuthBy>
>>> </AuthBy GROUP>
>>>
>>> <Realm DEFAULT>
>>>           AuthBy AuthSQL
>>> </Realm>
>>>
>>> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>>>
>>> Is there a way to accomplish what I'm after?
>>>
>>> Thanks!
>>>
>>> Chuck
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>


More information about the radiator mailing list