Le Lundi 3 F�vrier 2003 14:22, Alan DeKok a �crit :
> The best thing to do would be to convince them that using a realm
> for logins would be the best thing. That's how everybody else in the
> world does it.
Yes, I am well aware of that, but hey, I simply don't have the power to
do that (*sigh*)...
> I disagree. You only want to authenticate users who are in your
> local domain. All other users should skip authentication, and go
> directly to proxying.
Hem, yes, of course. Sorry for the misunderstanding.
> The solution would be to put all of *your* users into a Unix group.
> You can then do:
>
> DEFAULT Group == "myusers", Auth-Type := System
> # NO fall-through!
>
> DEFAULT Proxy-To-Realm = "otherguy"
Huh... a Unix group ? Since I'm working on a SQL backend, that isn't
possible, but all our local users are already in a group in the SQL DB.
I've thus added the Auth-Type attribute to the groups' attributes list
in the radgroupreply table. Here is the complete table :
mysql> SELECT * FROM radgroupreply WHERE GroupName='internix';
+----+-----------+-------------------------+--------------------------------------------+------+------+
| id | GroupName | Attribute | Value
| | op | prio |
+----+-----------+-------------------------+--------------------------------------------+------+------+
| 1 | internix | Idle-Timeout | 1800
| | = | 0 |
| 2 | internix | Service-Type | Framed-User
| | = | 0 |
| 3 | internix | Framed-Protocol | PPP
| | = | 0 |
| 4 | internix | Framed-IP-Address | 255.255.255.254
| | = | 0 |
| 5 | internix | Framed-MTU | 1500
| | = | 0 |
| 6 | internix | Framed-Compression | Van-Jacobson-TCP-IP
| | = | 0 |
| 13 | internix | Reply-Message | Welcome to Monaco Internet Dial-Up
|server! | = | 0 |
| 15 | internix | Simultaneous-Use | 1
| | = | 0 |
| 38 | internix | Port-Limit | 1
| | = | 0 |
| 39 | internix | Ascend-Maximum-Channels | 1
| | = | 0 |
| 42 | internix | No-Such-Attribute |
| | := | 0 |
| 48 | internix | Auth-Type | System
| | := | 0 |
| 49 | internix | Fall-Through | No
| | := | 0 |
+----+-----------+-------------------------+--------------------------------------------+------+------+
13 rows in set (0.00 sec)
Without success (the server continues to proxy the request for local
users, and thus rejects our local users).
> That way, the 'authorize' section discovers who owns what user, and
> picks one of local authentication, or proxying.
That's exactly my goal, but I'm really lost... Here is the authorize
section used for the tests :
authorize {
preprocess
sql
suffix
}
And here is the transcript of 'radiusd -sfxxyz' run :
rad_recv: Access-Request packet from host 194.79.150.4:40941, id=224, length=59
User-Name = "**********"
User-Password = "******"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
hints: Matched DEFAULT at 63
modcall[authorize]: module "preprocess" returns ok
radius_xlat: '**********'
rlm_sql (sql): sql_set_user escaped user --> '**********'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE UserName =
'**********' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.UserName = '**********' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE UserName =
'**********' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.UserName = '**********' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
rlm_realm: No '@' in User-Name = "**********", looking up realm NULL
rlm_realm: Found realm DEFAULT
rlm_realm: Setting Stripped-User-Name = "**********"
rlm_realm: Proxying request from user ********** to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
modcall[authorize]: module "suffix" returns updated
modcall: group authorize returns updated
Sending Access-Request of id 1 to ***.**.***.**:1812
User-Name = "**********"
User-Password = "\231.\363\354\207\033\334\2129\2629\260e\016\216d"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
Framed-IP-Address = 194.79.150.195+
Proxy-State = "224"
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host ***.**.***.**:1812, id=1, length=25
Proxy-State = 0x323234
Login incorrect (Home Server says so): [**********/******] (from client dev900 port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 194.79.150.4:40941, id=224, length=59
Sending Access-Reject of id 224 to 194.79.150.4:40941
What I cannot understand is why the server insists on proxying the
request even after the SQL query told it the user was valid. What am I
missing ?
> Hmm.. Monaco... I'll probably be in Nice in June. That's just down
> the road...
Hey ! Glad to know you like our region (I happen to live in Nice). Hope
you'll have a nice stay here :-)
Cheers,
--
[ Jacques Caruso <[EMAIL PROTECTED]> D�veloppeur PHP ]
[ Monaco Internet http://monaco-internet.mc/ ]
[ T�l : (+377) 93 10 00 43 Cl� PGP : 0x41F5C63D ]
[ -+- Support bacteria! They're the only culture some people have. -+- ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
