MAC authorisation (but not authentication) via LDAP

Sun Feb 25 15:58:19 CET 2007

Zitat von Phil Mayers <p.mayers at imperial.ac.uk>:

> Markus Krause wrote:
>> modules {
>>      ...
>>      ldap LdapUser1 {
>>              .... ldapserv1
>>      }
>>
>>      ldap LdapUser2 {
>>              .... ldapserv2
>>      }
>>      ...
>> }
>>
>> authorize {
>>       ...
>>       Autz-Type LdapUser {
>>           redundant {
>>               LdapUser1
>>               LdapUser2
>>           }
>>       }
>>       ...
>> }
>>
>> authenticate {
>>       ...
>>       Auth-Type LdapUser {
>>           redundant {
>>               LdapUser1
>>               LdapUser2
>>           }
>>       }
>>       ...
>> }
>
> You should be able to replace this last bit with:
>
> authenticate {
>    Auth-Type LdapUser1 {
>      LdapUser1
>    }
>    Auth-Type LdapUser2 {
>      LdapUser2
>    }
> }
>
> ...and set the "set_auth_type = yes" on each LDAP module.
>
> The general idea is that MODULES should set Auth-Type (to themselves)
> indicating that they will handle the authenticate phase.
>
> Note that the above is still redundant - if the ldap module answered
> during the authorize phase, there's clearly only a miniscule chance it
> will have failed by the time authenticate runs.
>
> And in fact, if ldap1 succeeds during authorize but fails during
> authenticate, arguably passing it to ldap2 is an error - example, the
> user might have just changed their password so ldap1 fails, but ldap2 is
> still replicating so thinks the old password is valid.
ok, i agree with you, "enough" redundancy can be achieved by this  
also. (the ldap servers used here are both consumers of the same  
provider, all with very low load so it seems quite unlikely that they  
run out of sync, but one never know...)

but what if the Auth-Type is not set, for example in a perl module  
(btw. how can i set the auth-type? that would solve my problem here!).
example:
we (will) have a wlan which can be used by all our users known in ldap  
and we have additional accounts saved in sql, which can be given to  
guests by our departments and research groups, these accounts are then  
valid for a fixed (preset) number of days since their first usage. to  
check this i wrote a small perl script which works. so for  
authorization i use in radiusd.conf:

----- part of radiusd.conf
authorization {
         Autz-Type WLAN {
                 group {
                         mpi-sta {
                                 ok = return
                         }
                         redundant {
                                 LdapUser1
                                 LdapUser2
                         }
                 }
         }
}

authentication {
         Auth-Type WLAN {
                 mpi-sta {
                         notfound = 1
                 }
                 redundant {
                         LdapUser1
                         LdapUser2
                 }
         }
}
----

the Auth-Type is set in users according to the huntgroup of the wlan-switch as
the perl skript does not set auth-type (because i did not find any  
documentation on how to set it) so i had to force auth-type to WLAN,  
now it works.

----------------------------------------------------------------------
      This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de