Re: Getting group information from sql
Tim Bates <[EMAIL PROTECTED]> wrote: > Ah, this could work. The /etc/group file on the RADIUS server is > generated out of the same database which FreeRADIUS is configuring, so I > can use that as a (hopefully) temporary solution. Just to confirm, did > you mean using the etc_group example of the passwd module in the default > radiusd.conf? That will work, but you can use the "unix" module, too. It is the one managing the Group/Group-Name attribute. If you use etc_group to do group checking, then use an attribute other than Group, or it will conflict with the Unix module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting group information from sql
Folks,
Parts of my radiusd.conf look something like this:
authorize {
preprocess
sql
files
}
authenticate {
pap
}
My SQL tables are actually PostgreSQL VIEWs which look into my
pre-existing user database to present the information in the format
suitable to RADIUS, ie:
id | username | attribute|value | op
+--++--+
2 | tb | Crypt-Password | $1$ql$aI56h/QB5b3.tHJFJ7q7m/ | ==
3 | tb | Group-Name | tb | +=
5 | tb | Group-Name | sysadmin | +=
I have managed to successfully get my NAS to authenticate the user based
on the password in the database. The table format above can be changed
to solve my problem if necessary (for example if += is the wrong op to
use, or Group-Name is the wrong attribute to use).
I want to match on Group-Name in my raddb/users file (as this is
processed after sql as you see above). I want to do something like this:
DEFAULT Group-Name != "sysadmin" Huntgroup-Name == "restricted", \
Auth-Type := Reject
Fall-Through = No
ie If a user attempts to log into a NAS in the "restricted" huntgroup
(which I have confirmed is being correctly identified) then they must be
in the sysadmin group to be permitted to log in.
(Apologies for the wrapping, I know this isn't actually valid syntax.
Assume that lines can be broken with backslashes for the purposes of
this email).
The problem seems to be that the sql module adds the Group-Name
attribute to the list of configuration items, whilst the files module
matches against items in the check list.
The question, therefore, is - how can I get the sql module to add items
to the check list, in the same way the preprocess module adds the
Huntgroup-Name and Client-IP-Address attributes (etc)? Or alternatively,
how can I achieve a similar effect in another way? Specifically, how can
I disallow users from connecting to NASs in the "restricted" huntgroup
if they're not members of the "sysadmin" group?
I believe I have a fairly thorough understanding of how all the bits of
FreeRADIUS interact, so I must be missing something fairly small but
significant, or simply can't see a solution that's right under my nose.
Apologies if this is an FAQ (I have read the flippin documentation as
best I could) or a problem whose solution is obvious to those with more
experience than me.
Thanks for your help.
Tim.
--
Tim Bates
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting group information from sql
Tim Bates <[EMAIL PROTECTED]> wrote: > I have managed to successfully get my NAS to authenticate the user based > on the password in the database. The table format above can be changed > to solve my problem if necessary (for example if += is the wrong op to > use, or Group-Name is the wrong attribute to use). The purpose of the Group/Group-Name attribute is to see if the user is in a Unix group. You can't use it for much else. > The question, therefore, is - how can I get the sql module to add items > to the check list, in the same way the preprocess module adds the > Huntgroup-Name and Client-IP-Address attributes (etc)? It's difficult. I'd like to see the server do it automatically, but I'll have to think about it some more before I decide how/if it's possible. > I believe I have a fairly thorough understanding of how all the bits of > FreeRADIUS interact, so I must be missing something fairly small but > significant, or simply can't see a solution that's right under my nose. I don't think it can be done in 0.9.3, or the current CVS snapshot. Hmm... it should be possible to put check item attributes into a special attribute number range, and update the comparison functions to "do the right thing" with them. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting group information from sql
Alan DeKok wrote: The purpose of the Group/Group-Name attribute is to see if the user is in a Unix group. You can't use it for much else. Ah, this could work. The /etc/group file on the RADIUS server is generated out of the same database which FreeRADIUS is configuring, so I can use that as a (hopefully) temporary solution. Just to confirm, did you mean using the etc_group example of the passwd module in the default radiusd.conf? Tim. -- Tim Bates [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
