Hello Bjorn,
Friday, March 22, 2002, 4:34:38 PM, you wrote:
BN> Hello,
BN> We are running Cisctron, but will probably migrate to FreeRADIUS shortly.
BN> Today, we have a user database of about 1 million entries contained in a
BN> GDBM file (GDBM support hacked into Cistron). All of these users have a
BN> Group-Name attribute, for instance "isdnuser". We also have a group file
BN> (also hacked in), where the groups are defined like this:
BN> isdnuser Called-Station-Id = "22334455"
BN> When RADIUS checks the users, it first attempts to expand Group-Name via.
BN> the groups file, and uses the check items (if any) returned from the ex-
BN> pansion.
BN> The idea is to be able to quickly respond to changes that affect a large
BN> group of users. Instead of changing every entry in the user database, a
BN> single change in the groups file is all that is needed.
BN> Is this possible with FreeRADIUS, or is it a better way to do this kind
BN> of thing?
BN> Thanks in advance!
I had the same problem some time ago. It was the reason of writing the rml_dbm module.
The main idea is group support as the specificity of associative database ('key -
values' structure) doesn't allow us to use several entities with same
username.
The second - allow more then one checklist-replylist pairs in a user record.
Now I have db database with about 120 thousands user records and 18 user's groups. I
use perl script to manage database but you can use rlm_dbm_cat, dbm_parser to do it.
There is no need to restart radius server after changing user database. Fragments of
group file (groups.uft) and user entries follow:
################# groups ###########################
GenGuest Auth-Type := Reject, Huntgroup-Name == sandy-pop
Reply-Message = "Illegal request", Fall-Through = 0
;
Service-Type = Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 300,
Cisco-AVPair += "ip:addr-pool=GUEST"
NAS-Port-Type != ISDN
Cisco-AVPair += "ip:inacl=GUEST"
GenDialup
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=SANDY",
Framed-Protocol = PPP
Locked Auth-Type := Reject
Reply-Message = "Your account has been disabled. Call 111-22-33,
#### user record fragments ########################
# guest entry
sandy Auth-Type := Local, Password == "sandy"
User-Category = GenGuest
ssalex Auth-Type := Local, Password == "passs"
User-Category = "GenDialup"
ssmike Auth-Type := Local, Password == "pass1"
User-Category = "Locked"
Assume users.db - users database, then add(modify) content of groups:
cat groups.uft | rlm_parse -f users
To view group or user entry:
rlm_cat -f users GenDialup
To list all database:
rlm_cat -f users
I can't write good manual for rlm_dbm, due low English experience
But if any body may do it please do not hesitate contact me.
--
Andrei Koulik.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
