Re: [RADIATOR] check-items in chained authby queries

Thu, 03 Feb 2011 12:03:38 -0800 

your "AuthBy GROUP AuthSQL" will not flow down into  the "AuthBy GROUP 
AuthHOTP".  I don't think the AuthHOTP will be used at all in this config.

Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
> <AuthBy GROUP>
>          Identifier      AuthSQL
>          AuthByPolicy    ContinueWhileAccept
>          <AuthBy SQL>
>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups 
> WHERE username=%0 AND groupname=%1
>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 
> 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>                  AuthColumnDef   0, Class, request
>                  AuthColumnDef   1, GENERIC, check
>                  AuthColumnDef   2, GENERIC, check
>          </AuthBy>

# now call the AuthHOTP
        AuthBy AuthHOTP

> </AuthBy GROUP>


Michael


On 11-02-03 02:34 PM, Linuxchuck wrote:
> Hello again,
>
> I am attempting to validate both the username and appropriate group 
> membership via MySQL on an incoming access-request before bothering to 
> process the HOTP password provided.  If the username doesn't exist, or the 
> user is not a member of the group in the list provided, send a reject and 
> stop processing.
>
> The problem I run into is that the grouplist check appears to be performed by 
> the 2nd AuthBy clause, which fails because HOTP is not capable of checking 
> groups.  I would like for the group check to occur prior to the HOTP check.
>
> Here is my config layout so far:
>
> FYI:  The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>
> <AuthBy GROUP>
>          Identifier      AuthSQL
>          AuthByPolicy    ContinueWhileAccept
>          <AuthBy SQL>
>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups 
> WHERE username=%0 AND groupname=%1
>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 
> 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>                  AuthColumnDef   0, Class, request
>                  AuthColumnDef   1, GENERIC, check
>                  AuthColumnDef   2, GENERIC, check
>          </AuthBy>
> </AuthBy GROUP>
>
> <AuthBy GROUP>
>          Identifier              AuthHOTP
>          <AuthBy SQLHOTP>
>                  ...
>          </AuthBy>
> </AuthBy GROUP>
>
> <Realm DEFAULT>
>          AuthBy AuthSQL
> </Realm>
>
> I don't see any evidence that the Authby SQL is performing the group check, 
> and the log tells me "WARNING: This AuthBy does not know how to get user 
> Groups" under the HOTP section.
>
> Is there a way to accomplish what I'm after?
>
> Thanks!
>
> Chuck
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to