Salut -
Il fait toujours aussi beau ici....ciel bleu, soleil, 30 degres... :-)
On Mon, 14 Feb 2000, Gildas PERROT wrote:
> Le petit bonjour quotidien ;-)
>
> > Salut Gildas -
> >
> > On Fri, 11 Feb 2000, Gildas PERROT wrote:
> > > Salut Hugh,
> > >
> > > > > - is it possible to define default check and reply items like :
> > > > >
> > > > > Auth-Type = System
> > > > > User-Service-Type = Framed-User,
> > > > > Framed-Protocol = PPP,
> > > > > Framed-Netmask = 255.255.255.0,
> > > > > Framed-Routing = None,
> > > > > Framed-MTU = 1500,
> > > > > Ascend-Idle-Limit = 600
> > > > >
> > > > > for each user instead of defining them in users file ?
> > > >
> > > > Sure - you can use AddToReply or AddToReplyIfNotExist in your AuthBy, or you
> > > > can use cascaded AuthBy's. Tell me a bit more about what you want to do and
> > > > I'll give you an example configuration file.
> > > >
> > > > > In this case, do other entries in users file take precedence on default one ?
> > > >
> > > > If you specify AddToReplyIfNotExist, the users file will take precedence.
> > >
> > > What I would like is to define the minimum things in users database and define
> > > default check and reply items which can be overwritten by users entries.
> > > I would like to defined the default check items :
> > >
> > > Auth-Type = System
> > > User-Service-Type = Framed-User
> > >
> > > and the default reply items :
> > >
> > > Framed-Protocol = PPP,
> > > Framed-Address = 193.149.106.4,
> > > Framed-Netmask = 255.255.255.255,
> > > Framed-Routing = None,
> > > Framed-MTU = 1500,
> > > Ascend-Idle-Limit = 600
> > >
> > > I suppose that the only entry for certain users will be its login then ?
> > >
> > > > Using the defintion in the standard Radiator dictionary is this:
> > > >
> > > > p50fr Password = "fdsfdsfsdf"
> > > > Service-Type = Framed-User,
> > > > Framed-Protocol = PPP,
> > > > Framed-Address = 193.149.103.161,
> > > > Framed-Netmask = 255.255.255.240,
> > > > Ascend-Idle-Limit = 300
> > > >
> > > > You can either edit your users file to use the standard Radiator dictionary, or
> > > > add User-Service-Type to the Radiator dictionary (its just a text file). Also
> > > > notice that there is an error with a trailing comma "," after the
> > > > Password = "fdsfdsfsdf".
> > >
> > > Effectively, a comma after Password = "jjk" is an error but I don't understand
> > > since Service-Type is check item and in the Figure 6 (Typical user entry in a
> > > flat user database of 15.2), it is said : no comma at end of check item => I
> > > would put a comma after Password not after Service Type.
> > >
> >
> > I see - I didn't realise you were using Service-Type as a check item - it is OK
> > to do this of course but I usually see it used as a reply item.
>
> In fact, I am not using Service-Type as a check item ! It's the example in the
> Figure 6 (Typical user entry in a flat user database of 15.2) which is talking
> about and making me confused. Is it a mistake ?
>
Ahhhh - no it is not a mistake - just an example of something you could do.
Some organisations have users logging in with different protocol requirements
(Framed-User, Login-User, Administrative-User, ...) and so need to return
different attributes depending on the Service-Type of the request. Most
customers only operate PPP connnections, so they don't check the Service-Type,
they just return the attributes for Framed-User.
> >
> > Here is what you want to do:
> >
> > # define an AuthBy FILE with a file containing only usernames and passwords
> >
> > <AuthBy FILE>
> > Identifier CheckUserPassword
> > Filename %D/user.password
> > </AuthBy>
> >
> > # define an AuthBy FILE with a file containing only defaults
> >
> > <AuthBy FILE>
> > Identifier CheckUserDefault
> > Filename %D/user.default
> > AddToReplyIfNotExist Service-Type = Framed-User, \
> > Framed-Protocol = PPP, \
> > Framed-IP-Address = 193.149.106.4, \
> > Framed-IP-Netmask = 255.255.255.255, \
> > Framed-Routing = None, \
> > Framed-MTU = 1500, \
> > Ascend-Idle-Limit = 600
> > </AuthBy>
> >
> > # now define your normal Realms or Handlers
> >
> > <Realm ....>
> > AuthBy CheckUserDefault
> > </Realm>
> >
> > ....
> >
> >
> > Then the files %D/user.default and %D/user.password would contain the following:
> >
> > # file %D/user.default
> >
> > DEFAULT Service-Type = Framed-User, Auth-Type = CheckUserPassword
> >
> >
> > # file %D/user.password
> >
> > p50fr Password = "fdsfdsfsdf"
> >
> > ....
> >
> >
> > How this works is as follows - the selected Realm will call the AuthBy with
> > "Identifer CheckUserDefault" which will check the Service-Type, then call the
> > AuthBy with "Identifer CheckUserPasswod"
> >
> > after checking the username and password (and adding any user-specific reply
> > attributes), CheckUserPassword returns to CheckUserDefault which adds the
> > default reply attributes only if they haven't already been added
> >
> > You should note that AddToReplyIfNotExist is in a patch to Radiator 2.14.1:
> >
> > http://www.open.com.au/radiator/downloads/patches-2.14.1/
> >
> > 6/9/99 Rolled the AddToReplyIfNotExist.patch into the base code. This code
> > was contributed by Vincent Gillet <[EMAIL PROTECTED]>, and implemnets
> > the AddToReplyIfNotExist parameter, which will append an attribute
> > to a reply if and only if it the attribute is not already present.
> > AlsoaAdded new check item Request-Type. This is mostly useful
> > in Handlers, to allow you to trigger on different types of
> > requests.
> > Download AuthGeneric.pm and AttrVal.pm from here.
>
> What a complex way ;-) ! I just want to have as a default reply (if no other
> value of those check items in users file) : Service-Type =
> Framed-User,Framed-Protocol = PPP,Framed-Netmask =
> 255.255.255.0,Framed-Routing = None,Framed-MTU = 1500,Ascend-Idle-Limit = 600.
>
> Is DefaultReply not sufficient to do that ?
>
No. Default-Reply will only add the attributes if there are no other attributes
in the reply. If you specify some attributes in the users file that you want to
take precedence, you will need to use AddToReplyIfNotExist.
> And what about having default check item "Auth-Type = System" (if not another
> value defined in users file) for users defined in users file and only them.
>
OK - let me try again.
# may need UseGetspnam (see section 6.31 in the manual)
<AuthBy SYSTEM>
Identifier CheckSystem
UseGetspnam
</AuthBy>
# define an AuthBy FILE with defaults
<AuthBy FILE>
Identifier CheckUser
Filename %D/users
AddToReplyIfNotExist Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Address = 193.149.106.4, \
Framed-IP-Netmask = 255.255.255.255, \
Framed-Routing = None, \
Framed-MTU = 1500, \
Ascend-Idle-Limit = 600
</AuthBy>
# now define your normal Realms or Handlers
<Realm ....>
AuthBy CheckUser
</Realm>
....
# file %D/users
p50fr Auth-Type = CheckSystem
....
How is that? It may seem slightly complex, but it is the only way to add
attribute handling to an AuthBy SYSTEM.
a bientot ....
Hugues
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
