[RADIATOR] AuthAttrDef for multi-value Radius attribute check

Garry Shtern Garry.Shtern at twosigma.com
Tue Sep 17 09:40:02 CDT 2013


Hi Heikki,

Put me down for this feature as well...

Thanks.

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Tuesday, September 17, 2013 8:24 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check

On 09/16/2013 03:59 PM, Alexander Hartmaier wrote:
> I just tried to implement a check for group membership:
> 
> AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check
> 
> OSC-Group-Identifier-LDAP is a multi-value attribute derived from 
> OSC-Group-Identifier with a PreAuthHook, basically just to transform 
> the support groups of a device into the corresponding LDAP CNs.
> According to the trace 4 log the check runs twice but both times using 
> the first OSC-Group-Identifier-LDAP value.
> Is this a bug?

I think this is the intended behaviour. The code always fetches a single value for the named attribute. This means it always gets the first attribute's value. It does not try to fetch all values of the named attribute.

Currently you could use a PostSearchHook to do something like this:
my @ldap_groups = $p->get_attr('OSC-Group-Identifier-LDAP');

Since @ldap_groups is an array, you will get all values of OSC-Group-Identifier-LDAP, not just the first one.

Then you can try each LDAP memberOf attribute value with OSC-Group-Identifer-LDAP attribute values to see if there's a match:

my $memberof = $entry->get_value('memberOf', asref => 1); foreach my $group (@$memberof) {
   return 1 if (map {lc $group eq lc $_} @ldap_groups); } return 0;



Also, we discussed here about adding support for RADIUS attributes that can be present multiple times. This would mean that e.g., if there are 4 Framed-IP-Address attributes, you could have something like this (flat file format):

mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4

This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.

Any comments about how useful you or the others would see this is appreciated.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list