Can I define an internal attribute for a module?

[Alan DeKok]

On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez at jisc.ac.uk> wrote:
> The doubt I have is where and how to store the OTP secret codes. So far, for development, I have a Python dictionary defined on the Python module with all the User-Name -> Secret key associations, but having these on the code is not a good practice and it requires managing two user lists, one for authentication (users file or SQL DB or LDAP...) plus this OTP secret list. This might lead to inconsistencies.
> 
> The first option I thought of was to make use of the config {} subsection of the python module, but it would still be a second user list (besides the main one used for authentication).
> 
> Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows:
> 
> ATTRIBUTE   OTP-Secret         3000    string

  That's possible...

> And then use it on the "users" file or on the DB as follows:
> 
> alex at test.org   Cleartext-Password := "OneTestingPassword", OTP-Secret := "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL"
> 
> This way I would be able to define the OTP Secret right next to the user password, on any backend that I'd like to use (users file, LDAP, SQL...).
> 
> I've tested it and it works, so question is: Can I define internal attributes for private module usage? If so, how are numbers allocated? Can I use any number I want if it's not currently in use?

  The "on the wire" numbers are allocated by IANA.  The "internal" numbers are allocated by us, via dictionary.freeradius.internal.

  The question is: who is going to use this functionality?  If it's just you, then use raddb/dictionary, and the numbers there.  If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal.  If it's some people but not a lot, then it's difficult to say what the best choice is.

  Alan DeKok.