Re: attributes based on NAS

Fri, 15 Feb 2002 03:24:22 -0800 

On Thu, 14 Feb 2002, Matthew Schumacher wrote:

> Chris,
>
> Thanks for your reply... I don't think this will work with my system
> because Some-Attribute is coming from LDAP.  Basically I need
> ldap.attrmap changes on a per NAS basis.
>
> The changes that I want are not something that will work in a hunt group
> because I want one NAS to serve a diffrenet static address than another,
> which are changes that are made in a per user basis.
>
> Thanks,
>
> schu
>

Well, basically you can't do what you want right now. Try applying the attached
patch. It is against the latest CVS snapshot. Make sure though that you update
both the radiusd binaries as well as the dictionary file. The basic idea is to
change your authorize section to look something like this:

ldap ldap1{
        [...]
        dictionary_mapping = ${raddbdir}/ldap.attrmap1
}
ldap ldap2{
        [...]
                dictionary_mapping = ${raddbdir}/ldap.attrmap2
}

authorize{
        autztype Ldap1 {
                ldap1
        }
        autztype Ldap2 {
                ldap2
        }
        files  <--- This is the important one
        chap
}

And in your users file you should put something like this:

DEFAULT NAS-IP-Address == "dsl_nas", Autz-Type := Ldap1

DEFAULT NAS-IP-Address == "dialup_nas", Autz-Type := Ldap2

Try it and tell me how it worked, cause I havent tested the patch heavily.
Alan, maybe we could just use the files module to make authorize/accounting
module selection based on checks on the incoming request instead of extending
radiusd.conf to allow for if/then/else checks.

--
Kostas Kalevras         Network Operations Center
[EMAIL PROTECTED]      National Technical University of Athens, Greece
Work Phone:             +30 10 7721861
'Go back to the shadow' Gandalf

diff -ur radiusd.orig/raddb/dictionary radiusd/raddb/dictionary
--- radiusd.orig/raddb/dictionary       Fri Feb 15 12:51:31 2002
+++ radiusd/raddb/dictionary    Fri Feb 15 13:08:16 2002
@@ -189,6 +189,7 @@
 ATTRIBUTE      Add-Prefix              1008    string
 ATTRIBUTE      Add-Suffix              1009    string
 ATTRIBUTE      Expiration              1010    date
+ATTRIBUTE      Autz-Type               1011    integer
 
 #
 #      Integer Translations
@@ -334,6 +335,8 @@
 VALUE          Auth-Type               Crypt-Local             3
 VALUE          Auth-Type               Reject                  4
 VALUE          Auth-Type               ActivCard               5
+
+VALUE          Autz-Type               Local                   0
 
 #
 #      Cistron extensions
diff -ur radiusd.orig/src/include/modules.h radiusd/src/include/modules.h
--- radiusd.orig/src/include/modules.h  Fri Feb 15 12:51:31 2002
+++ radiusd/src/include/modules.h       Fri Feb 15 13:09:23 2002
@@ -47,7 +47,7 @@
 };
 
 int setup_modules(void);
-int module_authorize(REQUEST *request);
+int module_authorize(int type, REQUEST *request);
 int module_authenticate(int type, REQUEST *request);
 int module_preacct(REQUEST *request);
 int module_accounting(REQUEST *request);
diff -ur radiusd.orig/src/include/radius.h radiusd/src/include/radius.h
--- radiusd.orig/src/include/radius.h   Fri Feb 15 12:51:31 2002
+++ radiusd/src/include/radius.h        Fri Feb 15 13:07:03 2002
@@ -112,6 +112,7 @@
 #define PW_ADD_PREFIX                  1008
 #define PW_ADD_SUFFIX                  1009
 #define PW_EXPIRATION                  1010
+#define PW_AUTZTYPE                    1011
 #define PW_USER_CATEGORY               1029
 #define PW_GROUP_NAME                  1030
 #define PW_HUNTGROUP_NAME              1031
diff -ur radiusd.orig/src/main/auth.c radiusd/src/main/auth.c
--- radiusd.orig/src/main/auth.c        Fri Feb 15 12:51:31 2002
+++ radiusd/src/main/auth.c     Fri Feb 15 13:05:23 2002
@@ -403,6 +403,7 @@
        VALUE_PAIR      *reply_item;
        VALUE_PAIR      *auth_item;
        VALUE_PAIR      *tmp = NULL;
+       VALUE_PAIR      *autz_type_item = NULL;
        int             result, r;
        char            umsg[MAX_STRING_LEN + 1];
        const char      *user_msg = NULL;
@@ -411,6 +412,8 @@
        int             exec_wait;
        int             seen_callback_id;
        char            buf[1024], logstr[1024];
+       char            autz_retry = 0;
+       int             autz_type = 0;
 
        password = "";
 
@@ -508,7 +511,8 @@
        /*
         *      Get the user's authorization information from the database
         */
-       r = module_authorize(request);
+autz_redo:
+       r = module_authorize(autz_type, request);
        if (r != RLM_MODULE_NOTFOUND &&
                        r != RLM_MODULE_NOOP &&
                        r != RLM_MODULE_OK &&
@@ -533,6 +537,15 @@
                 */
                return r;
        }
+       if (!autz_retry){
+               autz_type_item = pairfind(request->config_items, PW_AUTZTYPE);
+               if (autz_type_item){
+                       autz_type = autz_type_item->lvalue;
+                       autz_retry = 1;
+                       goto autz_redo;
+               }
+       }
+
 
        /*
         *      If we haven't already proxied the packet, then check
diff -ur radiusd.orig/src/main/modules.c radiusd/src/main/modules.c
--- radiusd.orig/src/main/modules.c     Fri Feb 15 12:51:31 2002
+++ radiusd/src/main/modules.c  Fri Feb 15 13:00:50 2002
@@ -159,7 +159,7 @@
  * FIXME: move this to dict.c as dict_valadd() and dict_valdel()
  *        also clear value in module_list free (necessary?)
  */
-static int new_authtype_value(const char *name)
+static int new_sectiontype_value(const char *name,int type)
 {
        static int max_value = 32767;
        DICT_VALUE *old_value, *new_value;
@@ -168,11 +168,11 @@
         *  Check to see if it's already defined.
         *  If so, return the old value.
         */
-       old_value = dict_valbyname(PW_AUTHTYPE, name);
+       old_value = dict_valbyname(type, name);
        if (old_value) 
                return old_value->value; 
-       /* Look for the predefined Auth-Type value */
-       old_value = dict_valbyattr(PW_AUTHTYPE, 0);
+       /* Look for the predefined Type value */
+       old_value = dict_valbyattr(type, 0);
        if (!old_value) 
                return 0;       /* something WIERD is happening */
        
@@ -469,13 +469,15 @@
 
        /* We must assign a numeric index to this subcomponent. For
         * auth, it is generated and placed in the dictionary by
-        * new_authtype_value(). The others are just numbers that are pulled
+        * new_sectiontype_value(). The others are just numbers that are pulled
         * out of thin air, and the names are neither put into the dictionary
         * nor checked for uniqueness, but all that could be fixed in a few
         * minutes, if anyone finds a real use for indexed config of
         * components other than auth. */
        if (comp==RLM_COMPONENT_AUTH)
-               idx = new_authtype_value(cf_section_name2(cs));
+               idx = new_sectiontype_value(cf_section_name2(cs),PW_AUTHTYPE);
+       else if (comp == RLM_COMPONENT_AUTZ)
+               idx = new_sectiontype_value(cf_section_name2(cs),PW_AUTZTYPE);
        else
                idx = meaningless_counter++;
        
@@ -526,7 +528,7 @@
                this = compile_modsingle(comp, modref, filename, &modname);
 
                if (comp == RLM_COMPONENT_AUTH) {
-                       idx = new_authtype_value(modname);
+                       idx = new_sectiontype_value(modname, PW_AUTHTYPE);
                } else {
                        /* See the comment in new_sublist() for explanation
                         * of the special index 0 */
@@ -626,9 +628,9 @@
  *     Call all authorization modules until one returns
  *     somethings else than RLM_MODULE_OK
  */
-int module_authorize(REQUEST *request)
+int module_authorize(int autz_type, REQUEST *request)
 {
-       return indexed_modcall(RLM_COMPONENT_AUTZ, 0, request);
+       return indexed_modcall(RLM_COMPONENT_AUTZ, autz_type, request);
 }
 
 /*

Reply via email to