Alan DeKok:
Lasse Karstensen wrote:
We're running freeradius 1.0.5 You should upgrade. http://freeradius.org/security.html
This is (hopefully) already patched by the SUSE Security team.
This Class -attribute is based on with password file (rlm_passwd) that had the user in question. Ok... Previously I've just hacked this together with Exec-Program-Wait in the users -file and a shell script, but I'm now looking for a cleaner solution. The passwd module would work well. What's wrong with that?
I probably was a bit unclear. radiusd.conf: """ passwd foo_smbpasswd { filename = /etc/raddb/var/foo-smbpasswd.ntlm format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" hashsize = 10000 ignorenislike = no allowmultiplekeys = no } passwd foo_passwd { filename = /etc/raddb/var/foo-passwd.crypt format = "*Stripped-User-Name:Crypt-Password:" hashsize = 10000 ignorenislike = no allowmultiplekeys = no } """ This exists both for foo and bar, ie there are two different sets of password files. Further down: """ authorize { suffix eap mschap files foo_passwd foo_smbpasswd bar_passwd bar_smbpasswd } """ In the users file: """ DEFAULT Exec-Program-Wait = "/usr/local/bin/deduceClass /etc/raddb/var/bar-passwd.crypt", Fall-Through = Yes """ deduceClass has the pseudocode: class=foo if user exists in bar-passwd.crypt: class = bar print "Class = $class" This seems to add the Class attribute to auth-accept packets. So. What I want, is to set the Class attribute to either 'foo' or 'bar', so that our vpn concentrator can differ between the two. -- Lasse