Re: [RADIATOR] Ideas on group and reply attribs parsing

Thu, 04 Apr 2013 12:53:06 -0700 

On 04/04/2013 03:40 PM, Garry Shtern wrote:

> I am trying to accomplish the following goal and would love ideas on the
> best way to accomplish it…

Have you considered something like:

<Handler Client-Identifier=abc>
  AuthByPolicy ContinueWhileAccept
  AuthBy krb-auth
  AuthBy ldap-auth
  # If still here, have authenticated and have group
  <AuthBy FILE>
    Filename users
    AuthenticateAttribute Group
  </AuthBy>
</Handler>

Where 'users' may look like this:
group1
    Custom-Attribute=1

group2
    Custom-Attribute=2

You are describing the problem in terms of configuration you are
thinking about and this makes it quite hard for me to follow. Bouncing
off from AuthBy FILE with Auth-Type check item seems quite complex and
I'm thinking there's probably an easier way to do this.

Thanks,
Heikki


> -          Setup clients with identifiers.
> 
> -          In the user file specify multiple defaults, with
> Client-Identifier, Auth-Type and optional Group attributes in check
> replies, and different reply attributes.
> 
> -          Defined custom AuthBy with identifiers in the policy file.
> 
>  
> 
> Example:
> 
> (users)
> 
> DEFAULT Client-Identifier=abc, Auth-Type=Krb-Ldap, Group=grp1
> 
>                 Custom-Attribute=1
> 
>  
> 
> DEFAULT Client-Identifier=abc, Auth-Type Krb-Ldap, Group=grp2
> 
>                 Custom-Attribute=2
> 
>  
> 
> (policy)
> 
> <AuthBy LDAP2>
> 
>                 Identifier Ldap
> 
> …
> 
> </AuthBy>
> 
>  
> 
> <AuthBy KRB5>
> 
>                 Identifier Krb
> 
> …
> 
> </AuthBy>
> 
>  
> 
> <AuthBy GROUP>
> 
>                 Identifier Krb-Ldap
> 
>                 AuthByPolicy ContinueWhileAccept
> 
>                 AuthBy krb-auth
> 
>                 AuthBy ldap-auth
> 
> </AuthBy>
> 
>  
> 
> I want the following:
> 
> -          Auth-TypeKrb-Ldap called only _once_, which will verify the
> user’s password and retrieve all the groups he is part of.
> 
> -          Parse users file, matching the first DEFAULT where Group
> matches one of the groups that were retrieved above.
> 
> -          Have AuthBy’s that don’t support Groups check just ignore it,
> instead of returning a reject.
> 
>  
> 
> Thanks!
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to