[RADIATOR] AuthAttrDef for multi-value Radius attribute check

Heikki Vatiainen hvn at open.com.au
Wed Sep 18 05:14:07 CDT 2013 

On 09/17/2013 03:48 PM, Alexander Hartmaier wrote:

>> my $memberof = $entry->get_value('memberOf', asref => 1);
>> foreach my $group (@$memberof) {
>>    return 1 if (map {lc $group eq lc $_} @ldap_groups);
>> }
>> return 0;

> 5.38.21 PostSearchHook from the 4.12 reference doc doesn't describe how
> the return value influences the request handling. Is this something
> common to all hooks and described somewhere else?

You are correct, PostSearchHook does not check return value. Some hooks
use it, such as RequestHook in AuthBy INTERNAL, but it depends on the
hook. I tried to be brief with the example and the return values were
just for illustrative purposes.

The way to reject a user from e.g., PostSearchHook is something like this:

$user->get_check->add_attr('Auth-Type', 'Reject:Not a member of at least
one user group');
return;

See goodies/lookupauthgroup.pl for a full example.

>> Also, we discussed here about adding support for RADIUS attributes that
>> can be present multiple times. This would mean that e.g., if there are 4
>> Framed-IP-Address attributes, you could have something like this (flat
>> file format):
>>
>> mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4
>>
>> This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.
>>
>> Any comments about how useful you or the others would see this is
>> appreciated.
> A syntax to define if any value or all values has to match is highly
> anticipated!

Thanks, noted. Also noted Garry's message. Something like
%{RequestOr:attributename} should be quite straight forward to do and
understand. However, %{RequestAnd:attributename} requires a bit more.

Synatax like this might be a possibility:

mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4|2.3.4.5

Here the request would be accepted if:
User-Password = fred, and
Framed-IP-Address = 1.2.3.4, and
Framed-IP-Address = 2.3.4.5

As another example, the required values (e.g., 1.2.3.4 and 2.3.4.5)
could come from a multivalued LDAP attribute.

If there are examples how the above would be put in use, please let us know.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list