Hi Heikki,
Thanks for the pointer. What I want to accomplish (forgetting about the actual
code), it define all of my users in a single file. And in the same file to be
able to distinguish which reply attributes are returned based on the RADIUS
client. That is, for example, if a user from a group "foo" tries to access the
system using Aruba controller, then Reply Attribute might be
Aruba-Priv-Admin-User=1. Whereas, a different user who is part of a group
"bar" comes via the same Aruba controller, then Reply Attribute might be
Aruba-Priv-Admin-User=2. Additionally, if the is part of group "foo" but tries
to access the system via a Cisco switch, he might get a Reply Attribute
"Cisco-Account-Info=blah", and so on and so forth.
I can't seem to figure out how to do it in a single user fie. The closest I
came to was similar to what you are describing:
<Handler Client-Identifier=aruba-controller>
AuthByPolicy ContinueWhileAccept
AuthBy krb-ldap-auth (AuthBY GROUP)
AuthBy file-auth
</Handler>
Then in ldap-auth, I force retrieval of all groups that the user belongs to
into a User-Groups comma-separated attribute.
<AuthBy LDAP2>
....
PostSearchHook sub { $_[2]->add_attr('User-Groups',
join(',',$_[0]->getUserGroups($_[1], $_[2]))); }
</AuthBy>
However, now comes the dilemma of forcing <AuthBy FILE> to match on individual
group from the above list. I am thinking of something like this in the user
file
DEFAULT Client-Identifier=aruba-controller Group=foo
Aruba-Priv-Admin-User=1
DEFAULT Client-Identifier=aruba-controller Group=bar
Aruba-Priv-Admin-User=2
DEFAULT Client-identifier=cisco-switch Group=foo
Cisco-Account-Info=blah
But, <AuthBy FILE> doesn't deal with groups by default, and I am not sure how
to force to loop through all of the groups in User-Groups....
Thanks!
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Heikki Vatiainen
Sent: Thursday, April 04, 2013 3:53 PM
To: [email protected]
Subject: Re: [RADIATOR] Ideas on group and reply attribs parsing
On 04/04/2013 03:40 PM, Garry Shtern wrote:
> I am trying to accomplish the following goal and would love ideas on
> the best way to accomplish it...
Have you considered something like:
<Handler Client-Identifier=abc>
AuthByPolicy ContinueWhileAccept
AuthBy krb-auth
AuthBy ldap-auth
# If still here, have authenticated and have group
<AuthBy FILE>
Filename users
AuthenticateAttribute Group
</AuthBy>
</Handler>
Where 'users' may look like this:
group1
Custom-Attribute=1
group2
Custom-Attribute=2
You are describing the problem in terms of configuration you are thinking about
and this makes it quite hard for me to follow. Bouncing off from AuthBy FILE
with Auth-Type check item seems quite complex and I'm thinking there's probably
an easier way to do this.
Thanks,
Heikki
> - Setup clients with identifiers.
>
> - In the user file specify multiple defaults, with
> Client-Identifier, Auth-Type and optional Group attributes in check
> replies, and different reply attributes.
>
> - Defined custom AuthBy with identifiers in the policy file.
>
>
>
> Example:
>
> (users)
>
> DEFAULT Client-Identifier=abc, Auth-Type=Krb-Ldap, Group=grp1
>
> Custom-Attribute=1
>
>
>
> DEFAULT Client-Identifier=abc, Auth-Type Krb-Ldap, Group=grp2
>
> Custom-Attribute=2
>
>
>
> (policy)
>
> <AuthBy LDAP2>
>
> Identifier Ldap
>
> ...
>
> </AuthBy>
>
>
>
> <AuthBy KRB5>
>
> Identifier Krb
>
> ...
>
> </AuthBy>
>
>
>
> <AuthBy GROUP>
>
> Identifier Krb-Ldap
>
> AuthByPolicy ContinueWhileAccept
>
> AuthBy krb-auth
>
> AuthBy ldap-auth
>
> </AuthBy>
>
>
>
> I want the following:
>
> - Auth-TypeKrb-Ldap called only _once_, which will verify the
> user's password and retrieve all the groups he is part of.
>
> - Parse users file, matching the first DEFAULT where Group
> matches one of the groups that were retrieved above.
>
> - Have AuthBy's that don't support Groups check just ignore it,
> instead of returning a reject.
>
>
>
> Thanks!
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server anywhere.
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside,
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX,
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix,
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
