[RADIATOR] "IgnoreIfMissing" required?

Alexander.Hartmaier at t-systems.com Alexander.Hartmaier at t-systems.com
Thu Aug 22 16:06:32 UTC 2019


Hi Heikki,
thanks for the pointers!
Are you planning to add an easily configurable support for such a scenario?

Thanks, Alex

T-SYSTEMS AUSTRIA GESMBH
TCO Local Network Factory
Alexander Hartmaier
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail: alexander.hartmaier at t-systems.com
http://www.t-systems.at
http://blog.t-systems.at

BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL.

******************************************************************
T-Systems Austria GesmbH, Rennweg 97-99, A-1030 Vienna
Commercial Court Vienna, FN 79340b
**********************************************************************************
Notice: This e-mail contains information that is confidential and may be
privileged. If you are not the intended recipient, please notify the sender
and then delete this e-mail immediately.
**********************************************************************************

________________________________________
Von: radiator <radiator-bounces at lists.open.com.au> im Auftrag von Heikki Vatiainen <hvn at open.com.au>
Gesendet: Dienstag, 20. August 2019 13:05
An: radiator at lists.open.com.au
Betreff: Re: [RADIATOR] "IgnoreIfMissing" required?

On 14/08/2019 11.35, Alexander.Hartmaier at t-systems.com wrote:

> We have multiple AuthBys per handler, e.g. one FILE, three LDAP2, one SQL.
> As AuthBy LDAP2 returns a reject for both user not found and incorrect password we have configured AuthByPolicy ContinueUntilAccept in the Handler.
> The issue we have with this config is the logging: if a user enters an incorrect password and the user isn't found by the last AuthBy but one of the four previous ones, it is skipped and the last one returns 'no such user'.
>
> We'd like to stop trying further AuthBys when one finds the user but the password is incorrect to make troubleshooting such issues easier.
>
> I can't think if a way to use AcceptIfMissing in combination with AuthByPolicy to do this and think a IgnoreIfMissing would be helpful.
>
> Any advise if that's possible without hooks?

Can't think a good way to do this without hooks.

With hooks I'd consider PostAuthHook within AuthBy LDAP2 to switch
result argument to, for example, ignore if it looks like the user was
not found.

A simple method could be to look at the reason. A more controlled method
could be to use a PostSearchHook to add a marker attribute in $p when
there was a result and user was found. The PostAuthHook could then use
the presence of this attribute for deciding if the result should be changed.

In short: flag in PostSearchHook, act in PostAuthHook. All this within
AuthBy LDAP2.

Thanks,
Heikki

--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list