Josh Howlett <[EMAIL PROTECTED]> wrote:While I helped start this topic, I've been silent recently -- I'm working on finishing the project but I do have something to add right now on this particular thread.
The sole objective, at least from where I'm standing, is to passto *where* in Apache?
information about a user from a database (or equiv.) to apache.
How do I take information from a RADIUS attribute, and magically
place it "somehow" in Apache, so that other modules can use it?
There are two answers to where to pass/process information (additional attributes) from RADIUS in Apache:
1) to the authentication module itself, where the attributes are processed and utilized.
More thought and planning needs to be done to make specify a generic solution.
2) through the authentication module to the server environment as a variable or a set of variables.
There is a document for Environment Variables in Apache (1.3x) <http://httpd.apache.org/docs/env.html>, which discusses high level usage in the server and there is Apache module mod_env <http://httpd.apache.org/docs/mod/mod_env.html> which would show (in it's source code) an example of how to create and set an Apache server environment variable. At that point, those variables could be utilized in the Apache configuration or in server side functional environments (CGIs, SSIs, etc.)
Until #1 is thought through, #2 would be a good solution in the meantime, exposing the attribute information to the server environment.
The question should arise, what are the security risks in exposing the RADIUS attribute information to the Apache server side environment?
I believe the answer is that when the attributes are exposed only on an accept-access packet, then we know we have an authenticated user from a configured (and known) authenticated resource, so there is little risk that this RADIUS resource is trying to attack the Apache server with dangerous information such as a buffer overflow, executable code, etc.
Do you agree?
Cheers, --Mark
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
