On Fri, 2008-08-22 at 20:25 +0200, Alan DeKok wrote: > Greg Woods wrote: > I have to find a > > way to specify in the front end proxy on a per-user basis which back end > > server should be used. > > Use groups, or *something* else.
I can't find any information on groups except for the "chroot" group and huntgroups, and neither of those appears to be related to what I'm trying to do. I grepped all the config files and there's no "man 5 groups". Can you point me to the documentation on groups? > > What's in the request packet that make S/key different from the other > authentication modules? Since the requests are all generated by the same clients, nothing is different. What I need is to be able to have certain users proxied to the s/key back end server, and the rest of them proxied to the default otp back end server. So whatever I come up with has to be able to key on the User-Name attribute. > How can you distinguish between the two kinds > of requests? Only by what the User-Name is. > Where is that information stored? That is what I am trying to figure out. Certainly, the User-Name attribute is coming in as part of the Access-Request packet. I want to be able to decide, based on the value of that attribute, which realm it should be proxied to (or if realms isn't the right way to do this, in some way based only on User-Name I have to be able to proxy to different back end servers). It appears from the comments in the preproxy_users file that this may be where I should be doing this. But it doesn't work because the authorize section has previously determined the realm. I also tried using the users file to set Realm, overwrite User-Name with [EMAIL PROTECTED], and none of this worked either. While the debug output shows that the users entry matched, it doesn't actually change the value of Realm or User-Name. I always get something like this: rad_recv: Access-Request packet from host 127.0.0.1 port 58207, id=208, length=7 3 User-Name = "woods" User-Password = "CURRENT SKEY PASSPHRASE" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize users: Matched entry woods at line 1 ++[files] returns ok rlm_realm: No '@' in User-Name = "woods", looking up realm NULL This is even if I have in users: woods User-Name := [EMAIL PROTECTED] Apparently User-Name is immutable. But it doesn't look like I can set Realm either because that is always determined from User-Name. Catch-22. rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "woods" rlm_realm: Adding Realm = "NULL" rlm_realm: Proxying request from user woods to realm NULL rlm_realm: Preparing to proxy authentication request to realm "NULL" ++[NULL] returns updated +- entering group pre-proxy preproxy_users: Matched entry woods at line 32 ++[files] returns ok In any case I think I have figured out that doing it in users isn't the right approach, because the documentation says this only modifies the reply, and a proxied request isn't exactly a reply. That's probably why this method doesn't work. But doing it in pre-proxy is obviously too late, as the realm is already determined by the time pre-proxy is entered. It actually works here to change the User-Name value to "[EMAIL PROTECTED]", but it's still proxying that new username to the NULL realm server. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html