On Mon, 2003-03-24 at 17:06, Alan DeKok wrote: > "Mark Lavi" <[EMAIL PROTECTED]> wrote: > > However, it is common to have different "groups" in an authenticated > > population. Say, for instance, a department of an organization. Once you > > know that attribute (if it exists) for a person, you can say restict > > access to different resources on the web server. > > I agree. At the time the module was written, there were no RADIUS > standards for defining groups. The other module you pointed to > implements groups by re-defining existing RADIUS attributes, which is > *very* bad.
I am quite interested in this concept of passing WWW-flavoured attributes to a WWW application via RADIUS. Alan has already pointed out that the need to prevent (i) re-defining existing attributes and (ii) not implementing site-specific attributes. Might I suggest a general mechanism for implementing this, whereby arbitrary and application-specific variable/value pairs are passed to the WWW application within a 'generic' wrapper A/V? The auth server concatenates the variables within single wrapper A/V in the Access-Accept, which mod_auth_radius unwraps and passes the contained variables to Apache. This approach only requires defining a single new A/V. The contents of the A/V would be site-specific (user-group, favourite colour, etc). regards, josh. -- ----------------------------------------------------------- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] ------------------------------------------------------------ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
