Hello again,
I am attempting to validate both the username and appropriate group membership
via MySQL on an incoming access-request before bothering to process the HOTP
password provided. If the username doesn't exist, or the user is not a member
of the group in the list provided, send a reject and stop processing.
The problem I run into is that the grouplist check appears to be performed by
the 2nd AuthBy clause, which fails because HOTP is not capable of checking
groups. I would like for the group check to occur prior to the HOTP check.
Here is my config layout so far:
FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
<AuthBy GROUP>
Identifier AuthSQL
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
GroupMembershipQuery SELECT groupname FROM v_usergroups
WHERE username=%0 AND groupname=%1
AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP',
'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
AuthColumnDef 0, Class, request
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, check
</AuthBy>
</AuthBy GROUP>
<AuthBy GROUP>
Identifier AuthHOTP
<AuthBy SQLHOTP>
...
</AuthBy>
</AuthBy GROUP>
<Realm DEFAULT>
AuthBy AuthSQL
</Realm>
I don't see any evidence that the Authby SQL is performing the group check, and
the log tells me "WARNING: This AuthBy does not know how to get user Groups"
under the HOTP section.
Is there a way to accomplish what I'm after?
Thanks!
Chuck
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
