request current section

Matthew Newton mcn4 at leicester.ac.uk
Fri Dec 30 16:58:50 CET 2016


On Thu, Dec 29, 2016 at 08:52:23AM -0500, Arran Cudbard-Bell wrote:
> > On Dec 29, 2016, at 8:18 AM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> > 
> > Is there any way from the current request structure to find out
> > which section is currently being processed
> > (authorize/accounting/post-auth etc)?
> 
> There's the string name of the section if that's all you need:

Ah, thanks. As I expected, right in plain sight!

I'm looking at possibilities for the rlm_winbind group compare
function. It seems that it's unreliable to use before auth, but
should probably be OK in post-auth, so one thing (as well as
updating the documentation, which nobody reads) is to print out a
debug warning if it's used in e.g. authorize or post-auth-fail.

The second possibility may be to fail the group lookup if we can
check with libwbclient that the correct data hasn't been cached by
a prior auth. That's probably more reliable, but not yet sure if
it's possible. Even then, a debug warning is probably good.

The 'correct' way seems to get the group SID, then auth, and check
the group SID against the list of SIDs returned after the auth.
Obviously this isn't particularly easy with the way FreeRADIUS is
structured. I guess one way would be to have a group_check option
to rlm_winbind which passes a group name(s) to be checked at auth
time. That's not the normal flow, but probably the most reliable
where AD comes in.

Cheers,
Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list