[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnu-radius] Defining custom attributes
From: |
Charles Sprickman |
Subject: |
[Help-gnu-radius] Defining custom attributes |
Date: |
Mon, 19 Apr 2004 17:40:20 -0400 (EDT) |
Hi,
In another thread I noticed that it's possible to define custom
attributes. In my config I am using the attribute "Auth-Data" to supply
some additional information for my sql auth query. Since another hackish
thing I'm trying to do requires another attribute, I decided to make a few
more appropriately named attributes for my own use.
Looking through the supplied dictionary files, I see Auth-Data is defined
like so in the standard dictionary:
ATTRIBUTE Auth-Data 2006 string - [L--R-R]=
I looked through the other files and found that the low 4000's are free
for additional attributes. I'm not sure if there's some limit on this ID,
or a suggested range for custom attributes.
So I added two more attributes of my own patterned after Auth-Data:
ATTRIBUTE Auth-Gid 4000 string - [L--R-R]=
ATTRIBUTE Auth-Dom 4001 string - [L--R-R]=
Auth-Data was used in three files to supply a slightly different query
depending on where the request came from. Below are the relevant config
snippets.
huntgroups:
# this config will tag each NAS client with a name that is recognized
# in the users file. In the users file, an additional sql conditional
# is added to discriminate between local, roaming and news access
#LOCAL NAS-IP-Address = 127.0.0.1 NULL
ROAM NAS-IP-Address = 127.0.0.1 NULL
NEWS NAS-IP-Address = 216.220.x.7 NULL
#COVAD NAS-IP-Address = 127.0.0.1 NULL
users:
# also see "huntgroups"... Here we are using tags from huntgroups to
# assign extra "Auth-Data" to a request based on which nas the request
# comes from.
DEFAULT Huntgroup-Name = LOCAL,
Auth-Type = SQL,
Auth-Gid = "64"
Service-Type = Framed-User
DEFAULT Huntgroup-Name = ROAM,
Auth-Type = SQL,
Auth-Gid = "128"
Service-Type = Framed-User
[etc.]
sqlserver:
# Query to select the password for the given user. Should return one
string.
auth_query SELECT pw_passwd \
FROM vpopmail \
WHERE pw_name='%u' \
AND pw_domain='bway.net' \
AND !(pw_gid & %C{Auth-Gid})
Now when all of the above was set to "Auth-Data" where you now see
"Auth-Gid" all is well, and everything works as expected. But when I
switch to using my custom attributes, authentication always fails, in fact
it never even makes it to the sql query:
Apr 19 17:25:52 Main.info: Ready to process requests.
Apr 19 17:26:02 Auth.debug: auth.c:684:rad_authenticate: auth: chip
Apr 19 17:26:02 Auth.notice: No such user [chip]
Apr 19 17:26:02 Auth.debug: auth.c:807:sfn_init: 0 -> 15
Apr 19 17:26:02 Auth.debug: auth.c:1197:sfn_reject_cleanup: 15 -> 14
Apr 19 17:26:02 Auth.debug: auth.c:1203:sfn_reject: REJECT: chip
Apr 19 17:26:02 Auth.info: rule trace: /usr/local/etc/raddb/huntgroups:9
Here's a log snippet with the same config, but with all instances of
"Auth-Gid" changed back to "Auth-Data":
address@hidden/usr/local/etc/raddb]# grep Auth-Data *
sqlserver: AND !(pw_gid & %C{Auth-Data})
users:# assign extra "Auth-Data" to a request based on which nas the
request
users: Auth-Data = "64"
users: Auth-Data = "128"
users: Auth-Data = "256"
users: Auth-Data = "512"
Apr 19 17:40:17 Auth.debug: auth.c:684:rad_authenticate: auth: chip
Apr 19 17:40:17 Auth.debug: sql.c:750:attach_sql_connection: allocating
new 0 sql connection
Apr 19 17:40:17 Auth.debug: sql.c:763:attach_sql_connection: connection 0
timed out: reconnect
Apr 19 17:40:17 Auth.debug: mysql.c:119:rad_mysql_reconnect: connected to
216.220.x.x
Apr 19 17:40:17 Auth.debug: sql.c:768:attach_sql_connection: attaching
0x8106500 [0]
Apr 19 17:40:17 Auth.debug: mysql.c:158:rad_mysql_getpwd: query: SELECT
pw_passwd FROM vpopmail WHERE pw_name='chip' AND pw_domain='bway.net' AND
!(pw_gid & 128)
Apr 19 17:40:17 Auth.debug: mysql.c:61:do_mysql_query: called with SELECT
pw_passwd FROM vpopmail WHERE pw_name='chip' AND pw_domain='bway.net' AND
!(pw_gid & 128)
Apr 19 17:40:17 Auth.debug: mysql.c:71:do_mysql_query: MYSQL query
returned 0
Apr 19 17:40:17 Auth.debug: auth.c:292:rad_check_password: auth_type=3,
userpass=xxx, name=chip, password=$1$xxxxx
Apr 19 17:40:17 Auth.debug: auth.c:322:rad_check_password: auth: Crypt
Apr 19 17:40:17 Auth.debug: auth.c:333:rad_check_password: pwbuf:
$1$xxxxx
Apr 19 17:40:17 Auth.debug: auth.c:1175:sfn_ack: ACK: chip
Apr 19 17:40:17 Auth.notice: Login OK [chip]
Apr 19 17:40:17 Auth.info: rule trace: /usr/local/etc/raddb/users:18;
huntgroups:9
It seems strange that just changing that one attribute causes such a
radically different behaviour; even the rule trace shows a different line.
Again, the only changes are noted in the grep above this log...
Any ideas?
Thanks,
Charles
___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
address@hidden - 212.655.9344
- [Help-gnu-radius] Defining custom attributes,
Charles Sprickman <=