"Mark Lavi" <[EMAIL PROTECTED]> wrote: > However, it is common to have different "groups" in an authenticated > population. Say, for instance, a department of an organization. Once you > know that attribute (if it exists) for a person, you can say restict > access to different resources on the web server.
I agree. At the time the module was written, there were no RADIUS standards for defining groups. The other module you pointed to implements groups by re-defining existing RADIUS attributes, which is *very* bad. Now that FreeRADIUS has a private enterprise code, we can implement groups in the FreeRADIUS dictionary. > Finally, if the group (or any other RADIUS attribute) is exposed at a > server environment variable, this would be a mechanism for any server > side web application to leverage that information for conditional > security based upon those attributes within a page of an application. I agree completely, I'm not arguing that point. What I was saying was that we have to be careful about *how* the groups are implemented. > 1. Groups are an important attribute utilized in many situations and > environments. > They are enabled in even the most basic Apache authentication modules. > We can witness a fork which, amongst other things, attempts an > implementation of groups. If someone is willing to supply patches to the module to implement groups as a FreeRADIUS VSA, I'm willing to add those to the module. > 2. The ability to leverage RADIUS attributes in a web server environment > extends the utility of RADIUS, whatever those attributes may be. Sure. > Discarding those attributes reduces RADIUS' utility. I couldn't figure out how to use the RADIUS attributes in the rest of Apache. The simplest thing to do was to ignore them. If you've got a method whereby the RADIUS attributes can easily be used in the rest of Apache, then I'm all for it. But all of the methods I've seen so far are very site-specific. > Not having the "escape mechanism" or back channel to expose the RADIUS > attributes to the web server reduces the full utility of this module and > the RADIUS server. How are these RADIUS attributes exposed to the web server? > I will understand and respect your decisions, I'm thankful to you and > the freeradius community for this work. I hope this discussion is > constructive to promote the further utility of RADIUS with web applications. I'm not arguing against what you want to do, I just want to be sure that it's done right, and that it's useful to situations other than yours. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
