Greg Woods wrote:
I can't find any information on groups except for the "chroot" group and huntgroups, and neither of those appears to be related to what I'm trying to do. I grepped all the config files and there's no "man 5 groups". Can you point me to the documentation on groups?
Use *any* kind of groups. Unix groups, groups in SQL, or groups defined on the server. See "man rlm_passwd" for an example.
Since the requests are all generated by the same clients, nothing is different. What I need is to be able to have certain users proxied to the s/key back end server, and the rest of them proxied to the default otp back end server. So whatever I come up with has to be able to key on the User-Name attribute.
See "man rlm_passwd". You will need to put the s/key users int a group, and proxy based on membership in that group.
Where is that information stored?
That is what I am trying to figure out.
No... where do *you* want to store the information about which user belongs in which group.
Certainly, the User-Name attribute is coming in as part of the Access-Request packet. I want to be able to decide, based on the value of that attribute, which realm it should be proxied to (or if realms isn't the right way to do this, in some way based only on User-Name I have to be able to proxy to different back end servers).
And where do you want to store that information?
It appears from the comments in the preproxy_users file that this may be where I should be doing this. But it doesn't work because the authorize section has previously determined the realm.
pre-proxy is done *after* the decision has been made to proxy the request.
Apparently User-Name is immutable. But it doesn't look like I can set Realm either because that is always determined from User-Name. Catch-22.
No. If you don't need the "realms" module, then delete the references to it. That's why the configuration files are editable. You *can* edit them. Alan DeKok.