Re: [RADIATOR] Loading configuration dynamically from SQL database

Heikki Vatiainen Mon, 11 Apr 2011 05:44:31 -0700

On 04/11/2011 11:42 AM, Remco van Noorloos wrote:

Hello Remco,


> I've tried your suggestion and I managed to get some variables dynamically 
> from an SQL database. 
> 
> When I try AuthColumnDef twice in two different AuthBy SQL's it doesn't seem 
> to work though. The 'AUTH_BACKEND' and 'CONNECTION_ID' are working properly. 
> When Radiator reaches the AuthBy LDAP2 it tries to connect with LDAP to 
> 'LDAP_SERVER'. The value of this attribute isn't set and therefore Radiator 
> is unable to authenticate against the Active Directory. The query in 
> AuthSelect is returning correct values though. 
> 
> Is it not possible to use AuthColumnDef twice or something? I tried different 
> configurations with the Authby's outside an Handler as well.

Using AuthColumnDef twice is fine and normal way to do things.

I also tried creating a configuration for dynamic AuthBy LDAP2s and
noticed that some things may not be possible with current LDAP2 AuthBy.
For example AuthDN is used for binding and this binding likes to stay
with the object that is created from AuthBy LDAP2 clause. The object is
created when Radiator initialises during startup.

In other words, my test and closer look at the code shows that while
some things are dynamic, others are initialised from the first request
that arrives or only after an error occurs. Additionally, Host
especially seems to be something that is not currently evaluated in
packet context. This means that even if formatting characters are
available, variables from the request are not.

About your configuration: how many combinations for
LDAP servers and AuthDNs do you have? If you would need to list all LDAP
servers and their AuthDNs would this be feasible?

Yours,
Heikki


> The current configuration is as follows:
> 
> ---
> 
> LogDir                C:\Program Files\Radiator\logs
> LogFile               %L\%Y%m%d-%H00-radius.log
> DbDir         C:\Progam Files\Radiator
> DictionaryFile C:\Program Files\Radiator\dictionary
> 
> Trace                 5
> 
> <Client DEFAULT>
>       Secret                  mysecret
>       DupInterval     0
> </Client>
> 
> <AuthBy SQL>
>       Identifier      DETERMINE_AUTH_BACKEND
>       
>       DBSource        dbi:ODBC:DRIVER={SQL 
> Server};SERVER={localhost};DATABASE=dbPMS
>       DBUsername      sa_pmsuser
>       DBAuth          123pms
>       
>       AuthSelect      EXEC spGetAuthenticationSource %0, 
> %{Quote:%{NAS-Port-Type}}, %{Quote:%{Service-Type}}, %{Quote:%{Acct-Sess-ID}}
>       
>       AuthColumnDef 0, AUTH_BACKEND, request
>       AuthColumnDef 1, CONNECTION_ID, request
> </AuthBy>
> 
> 
> <Handler>
>       AuthByPolicy ContinueWhileAccept
>       
>       <AuthBy GROUP>
>         AuthByPolicy  ContinueUntilAccept
>         AuthBy                        DETERMINE_AUTH_BACKEND
>     </AuthBy>
>     <AuthBy HANDLER>
>         HandlerId             AUTH_USER_%{AUTH_BACKEND}
>     </AuthBy>
>     #AuthBy sql-add-reply-attributes
> 
> </Handler>
> 
> <Handler>
>     Identifier AUTH_USER_realmLDAP
>       
>       AuthByPolicy ContinueWhileAccept
>       
>       <AuthBy SQL>
>               DBSource        dbi:ODBC:DRIVER={SQL 
> Server};SERVER={localhost};DATABASE=dbPMS
>               DBUsername      sa_pmsuser
>               DBAuth          123pms
>               
>               AuthSelect      EXEC spLDAPGetProperties %0, %{CONNECTION_ID}
>               
>               AuthColumnDef 0, LDAP_SERVER, request
>               AuthColumnDef 1, LDAP_AUTHDN, request
>               AuthColumnDef 2, LDAP_AUTHPASSWORD, request
>               AuthColumnDef 3, LDAP_BASEDN, request
>               AuthColumnDef 4, LDAP_SEARCH_FILTER, request
>       </AuthBy>
>       <AuthBy LDAP2>
>               Host                    %{LDAP_SERVER}
>               
>               AuthDN                  %{LDAP_AUTHDN}
>               AuthPassword    %{LDAP_AUTHPASSWORD}
> 
>               BaseDN                  %{LDAP_BASEDN}
> 
>               SearchFilter    
> (&(userPrincipalName=%1)(memberOf=%{LDAP_SEARCH_FILTER}))
> 
>               ServerChecksPassword
>               
>               HoldServerConnection
>                 
>               #Debug 255
> 
>               Timeout                 10
>               FailureBackoffTime 1
> 
>               Version                 3
>       </AuthBy>
>       
> </Handler>
> 
> ---
> 
> Logging:
> 
> ---
> 
> Code:       Access-Request
> Identifier: 71
> Authentic:  <245><135><138>2<21><143>'<136><169><201><134>}<251><24>@<246>
> Attributes:
>       User-Name = "rvannoorl...@proxsys.net"
>       Service-Type = Framed-User
>       NAS-IP-Address = 203.63.154.1
>       NAS-Identifier = "203.63.154.1"
>       NAS-Port = 1234
>       Called-Station-Id = "123456789"
>       Calling-Station-Id = "987654321"
>       NAS-Port-Type = Async
>       User-Password = <158><252>xt"cP<217><217><197><4><229><208>-<6>;
> 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling request with Handler '', Identifier 
> ''
> Mon Apr 11 10:02:41 2011: DEBUG:  Deleting session for 
> rvannoorl...@proxsys.net, 203.63.154.1, 1234
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthGROUP: 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> DETERMINE_AUTH_BACKEND
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> DETERMINE_AUTH_BACKEND
> Mon Apr 11 10:02:41 2011: DEBUG: Query is: 'EXEC spGetAuthenticationSource 
> 'rvannoorl...@proxsys.net', 'Async', 'Framed-User', ''': 
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL looks for match with 
> rvannoorl...@proxsys.net [rvannoorl...@proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL ACCEPT: : 
> rvannoorl...@proxsys.net [rvannoorl...@proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthGROUP: DETERMINE_AUTH_BACKEND 
> result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy GROUP result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthHANDLER: 
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy HANDLER is redirecting to Handler 
> 'AUTH_USER_realmLDAP'
> Mon Apr 11 10:02:41 2011: DEBUG: Handling request with Handler '', Identifier 
> 'AUTH_USER_realmLDAP'
> Mon Apr 11 10:02:41 2011: DEBUG:  Deleting session for 
> rvannoorl...@proxsys.net, 203.63.154.1, 1234
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthSQL: 
> Mon Apr 11 10:02:41 2011: DEBUG: Query is: 'EXEC spLDAPGetProperties 
> 'rvannoorl...@proxsys.net', 369': 
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL looks for match with 
> rvannoorl...@proxsys.net [rvannoorl...@proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: Radius::AuthSQL ACCEPT: : 
> rvannoorl...@proxsys.net [rvannoorl...@proxsys.net]
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy SQL result: ACCEPT, 
> Mon Apr 11 10:02:41 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> Mon Apr 11 10:02:41 2011: INFO: Connecting to :389
> Mon Apr 11 10:02:41 2011: ERR: Could not open LDAP connection to :389. 
> Backing off for 1 seconds.
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database 
> access error
> Mon Apr 11 10:02:41 2011: DEBUG: AuthBy HANDLER result: IGNORE, User database 
> access error


-- 
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Loading configuration dynamically from SQL database

Reply via email to