Just a quick check in case I'm missing something obvious. Can't see anything, but... Is there any way from the current request structure to find out which section is currently being processed (authorize/accounting/post-auth etc)? Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Dec 29, 2016, at 8:18 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Just a quick check in case I'm missing something obvious. Can't see anything, but...
Is there any way from the current request structure to find out which section is currently being processed (authorize/accounting/post-auth etc)?
There's the string name of the section if that's all you need: https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/src/main/xlat_ev... -Arran
On Thu, Dec 29, 2016 at 08:52:23AM -0500, Arran Cudbard-Bell wrote:
On Dec 29, 2016, at 8:18 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Is there any way from the current request structure to find out which section is currently being processed (authorize/accounting/post-auth etc)?
There's the string name of the section if that's all you need:
Ah, thanks. As I expected, right in plain sight! I'm looking at possibilities for the rlm_winbind group compare function. It seems that it's unreliable to use before auth, but should probably be OK in post-auth, so one thing (as well as updating the documentation, which nobody reads) is to print out a debug warning if it's used in e.g. authorize or post-auth-fail. The second possibility may be to fail the group lookup if we can check with libwbclient that the correct data hasn't been cached by a prior auth. That's probably more reliable, but not yet sure if it's possible. Even then, a debug warning is probably good. The 'correct' way seems to get the group SID, then auth, and check the group SID against the list of SIDs returned after the auth. Obviously this isn't particularly easy with the way FreeRADIUS is structured. I guess one way would be to have a group_check option to rlm_winbind which passes a group name(s) to be checked at auth time. That's not the normal flow, but probably the most reliable where AD comes in. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Arran Cudbard-Bell -
Matthew Newton