On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez@jisc.ac.uk> wrote:
The doubt I have is where and how to store the OTP secret codes. So far, for development, I have a Python dictionary defined on the Python module with all the User-Name -> Secret key associations, but having these on the code is not a good practice and it requires managing two user lists, one for authentication (users file or SQL DB or LDAP...) plus this OTP secret list. This might lead to inconsistencies.
The first option I thought of was to make use of the config {} subsection of the python module, but it would still be a second user list (besides the main one used for authentication).
Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows:
ATTRIBUTE OTP-Secret 3000 string
That's possible...
And then use it on the "users" file or on the DB as follows:
alex@test.org Cleartext-Password := "OneTestingPassword", OTP-Secret := "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL"
This way I would be able to define the OTP Secret right next to the user password, on any backend that I'd like to use (users file, LDAP, SQL...).
I've tested it and it works, so question is: Can I define internal attributes for private module usage? If so, how are numbers allocated? Can I use any number I want if it's not currently in use?
The "on the wire" numbers are allocated by IANA. The "internal" numbers are allocated by us, via dictionary.freeradius.internal. The question is: who is going to use this functionality? If it's just you, then use raddb/dictionary, and the numbers there. If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal. If it's some people but not a lot, then it's difficult to say what the best choice is. Alan DeKok.