[RADIATOR] Ideas on group and reply attribs parsing

Heikki Vatiainen hvn at open.com.au
Thu Apr 4 14:52:51 CDT 2013 

On 04/04/2013 03:40 PM, Garry Shtern wrote:

> I am trying to accomplish the following goal and would love ideas on the
> best way to accomplish it…

Have you considered something like:

<Handler Client-Identifier=abc>
  AuthByPolicy ContinueWhileAccept
  AuthBy krb-auth
  AuthBy ldap-auth
  # If still here, have authenticated and have group
  <AuthBy FILE>
    Filename users
    AuthenticateAttribute Group
  </AuthBy>
</Handler>

Where 'users' may look like this:
group1
    Custom-Attribute=1

group2
    Custom-Attribute=2

You are describing the problem in terms of configuration you are
thinking about and this makes it quite hard for me to follow. Bouncing
off from AuthBy FILE with Auth-Type check item seems quite complex and
I'm thinking there's probably an easier way to do this.

Thanks,
Heikki


> -          Setup clients with identifiers.
> 
> -          In the user file specify multiple defaults, with
> Client-Identifier, Auth-Type and optional Group attributes in check
> replies, and different reply attributes.
> 
> -          Defined custom AuthBy with identifiers in the policy file.
> 
>  
> 
> Example:
> 
> (users)
> 
> DEFAULT Client-Identifier=abc, Auth-Type=Krb-Ldap, Group=grp1
> 
>                 Custom-Attribute=1
> 
>  
> 
> DEFAULT Client-Identifier=abc, Auth-Type Krb-Ldap, Group=grp2
> 
>                 Custom-Attribute=2
> 
>  
> 
> (policy)
> 
> <AuthBy LDAP2>
> 
>                 Identifier Ldap
> 
>> 
> </AuthBy>
> 
>  
> 
> <AuthBy KRB5>
> 
>                 Identifier Krb
> 
>> 
> </AuthBy>
> 
>  
> 
> <AuthBy GROUP>
> 
>                 Identifier Krb-Ldap
> 
>                 AuthByPolicy ContinueWhileAccept
> 
>                 AuthBy krb-auth
> 
>                 AuthBy ldap-auth
> 
> </AuthBy>
> 
>  
> 
> I want the following:
> 
> -          Auth-TypeKrb-Ldap called only _once_, which will verify the
> user’s password and retrieve all the groups he is part of.
> 
> -          Parse users file, matching the first DEFAULT where Group
> matches one of the groups that were retrieved above.
> 
> -          Have AuthBy’s that don’t support Groups check just ignore it,
> instead of returning a reject.
> 
>  
> 
> Thanks!
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list