Hello Valentin -
We have recently added an "AuthenticateAttribute" parameter which allows you to specify a different attribute to use other than "User-Name", and we have also added generic caching of user database lookups. Perhaps you could check the latest Radiator 3.5 patches and let us know if these are what you are looking for (check the history file "doc/history.html").
As always we are more than happy to receive suggestions, patches, hooks and whatever for inclusion in the distribution.
Many thanks for your support.
regards
Hugh
On Thursday, Apr 3, 2003, at 22:04 Australia/Melbourne, Valentin Tumarkin wrote:
Hi,
While doing work for our clients I very often have to implement a 'profile' scheme for users. ( By 'profile' I mean a named set of check/reply item definitions that can be assigned to a user by name)
AuthFILE is ideal for storing profiles, because:
* It's simple to maintain, but still rather powerful * It has built-in caching * Doesn't require Radiator reload/HUP on file modification
The only problem is that AuthFILE doesn't do format_special on the username.
I used to implement this using hooks (a bit of problem if you want to
lookup the profile before you do the actual authentication). I also played
around with modified AuthFILE module.
Now, I think, I found a nice and rather generic solution - modified
AuthGeneric get_user sub. The get_user sub checks if 'UserSearchKey'
parameter was defined, and if so - does dynamic formatting on it and uses
the result for findUser call.
Unfortunately the patch only works for modules that do not overwrite handle_request, their findUser sub is called by the AuthGeneric's version of get_user, and their findUser sub uses the username it got from its call arguments.
As far as I've checked - the patch will be useful for:
AuthCDB.pm AuthDBFILE.pm AuthEMERALD4.pm AuthEMERALD.pm AuthFILE.pm AuthNISPLUS.pm AuthSYSTEM.pm AuthTEST.pm AuthUNIX.pm (please note that actual testing was only done with AuthFILE)
A configuration example and the patch follow.
Also, speaking of profiles, I've written a nice hook for "user belonging to
multiple groups, stored in LDAP" support, and a proof-of-concept generic
caching module. Should I post them ?
############################################################## ## ## config file sample
# Check DNIS Profile <AuthBy FILE> Identifier Check_DNIS_Profile Filename %{GlobalVar:ETCDIR}/dnis_profiles UserSearchKey %{Called-Station-Id} # NoDefault # Nocache </AuthBy>
# Check Group Profile, using X-Group-Name we got from LDAP <AuthBy FILE> Identifier Check_Group_Profile Filename %{GlobalVar:ETCDIR}/group_profiles UserSearchKey %{X-Group-Name} # NoDefault # Nocache </AuthBy>
<AuthBy LDAP2> # Map user group profile name LDAP attribute to the # X-Group-Name attribute in RADIUS Request packet </AuthBy>
# Do DNIS Profile, then LDAP Auth, then User Group Profile <Handle X-Some-Wierd-Attribute=Z > AuthByPolicy ContinueWhileAccept AuthBy Check_DNIS_Profile AuthBy MyLDAPAuth AuthBy Check_Group_Profile </Handler>
############################################################## # 'dnis_profiles' file: # The key is Called-Station-Id 5550001 Realm = /^(foo|bar)$/,Auth-Type=MyAuth1 Reply-Message="using cascading auth 1"
5550002 Client-Identifier = /Cisco/ cisco-avpair = "some cisco av" Reply-Message="you are using Cisco NAS"
# If you want the module to 'ACCEPT' undefined cases - use 'DEFAULT' DEFAULT
############################################################## # 'group_profiles' file # The key is X-Group-Name group1 Reply-Message="You are in group1"
group2 Reply-Message="You are in group2"
## END Examples
############################################################## ## ## The patch for AuthGeneric.pm
# In the %Radius::AuthGeneric::ConfigKeywords add: 'UserSearchKey' => 'string',
# In the 'sub get_user', before the findUser while loop
# Allow to search for user using RADIUS
# Request attribute (or combination) other then User-Name
# Valentin Tumarkin / Xpert 2003/04/03
my $orig_user_name = $user_name;
if ( $self->{UserSearchKey} ) {
$user_name = &Radius::Util::format_special
($self->{UserSearchKey},
$p, undef,
$orig_user_name);
$self->log($main::LOG_DEBUG, "Using dynamic user key '$user_name' in auth of '$orig_user_name' with $type'", $p);
}
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
