Hi All, I'd like to enable users to enter their username OR serial number as the &User-Name variable, then let /policy.d/filter determine how to process it. This would also require that I add an attribute in the radcheck table and restructure my SQL queries. The serial number is stored as text. All users know their serial numbers, but not all users have a username which is how this issue arose. Any advice would be helpful. Thanks in advance, David -- David Teston PINES System Administrator http://georgialibraries.org
On Tue, Nov 29, 2016 at 10:27:58AM -0500, David Teston wrote:
I'd like to enable users to enter their username OR serial number as the &User-Name variable, then let /policy.d/filter determine how to process it. This would also require that I add an attribute in the radcheck table and restructure my SQL queries.
The serial number is stored as text. All users know their serial numbers, but not all users have a username which is how this issue arose.
Haven't got a great deal of info about your setup, but I guess you've got somewhere a record with a serial number, password and optional user name. So unlang that looks at the User-Name and if it looks like a serial number, do the appropriate sql/ldap/other database lookup to pull that password into Cleartext-Password. Otherwise if it doesn't look like a serial number, lookup the username instead (watching the null case). Or alternatively, if you detect username not being a serial number, do some unlang to pull the correct appropriate serial number and replace the User-Name attribute with that, then proceed as normal. This sort of thing will work with PAP auth. If you're doing EAP then you can't rewrite the User-Name so will need to come up with something else... but same sort of idea. Look up the username that's relevant based on the form of User-Name you get. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I guess you've got somewhere a record with a serial number, password and optional user name.
For testing, I'm copying credentials from an application we use/host which does include all of those.
If you're doing EAP then you can't rewrite the User-Name so will need to come up with something else.
I will be using EAP. If I leave unlang as is, I could rely on SQL to look for the username/serial. For example: select * from radcheck; id | username | attribute | op | value | serial ----+---------------+----------------------+----+---------------+----------------- 1 | myself | User-Password | := | test-pass | 987688113 User logs in with serial: User-Name = "987688113" The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id; -- David Teston PINES System Administrator Georgia Public Library Service 1800 Century Place, Suite 150 Atlanta, GA 30345 Office: 404-235-7206 Mobile: 404-623-8676 dteston@georgialibraries.org http://georgialibraries.org On Tue, Nov 29, 2016 at 10:51 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Nov 29, 2016 at 10:27:58AM -0500, David Teston wrote:
I'd like to enable users to enter their username OR serial number as the &User-Name variable, then let /policy.d/filter determine how to process it. This would also require that I add an attribute in the radcheck table and restructure my SQL queries.
The serial number is stored as text. All users know their serial numbers, but not all users have a username which is how this issue arose.
Haven't got a great deal of info about your setup, but I guess you've got somewhere a record with a serial number, password and optional user name.
So unlang that looks at the User-Name and if it looks like a serial number, do the appropriate sql/ldap/other database lookup to pull that password into Cleartext-Password. Otherwise if it doesn't look like a serial number, lookup the username instead (watching the null case).
Or alternatively, if you detect username not being a serial number, do some unlang to pull the correct appropriate serial number and replace the User-Name attribute with that, then proceed as normal.
This sort of thing will work with PAP auth. If you're doing EAP then you can't rewrite the User-Name so will need to come up with something else... but same sort of idea. Look up the username that's relevant based on the form of User-Name you get.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Tue, Nov 29, 2016 at 11:16:56AM -0500, David Teston wrote:
I guess you've got somewhere a record with a serial number, password and optional user name.
For testing, I'm copying credentials from an application we use/host which does include all of those.
Your simplest solution may then be to just create two identical entries in your SQL database for each set of credentials. One with username = the username, and the other with username = serial number. That will keep your FreeRADIUS config much simpler.
User logs in with serial: User-Name = "987688113"
The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id;
The SQL statements can all be modified, so you should be able to do something with it along these lines. But breaking it down to its simplest, one person can log in with two accounts. So put two accounts in the database. Otherwise, use unlang to work out what type of username is being used, and depending on that call the appropriate sql module, or use the appropriate sql statements. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
... just create two identical entries in your SQL database for each set of credentials. ... one person can log in with two accounts.
You're right, but I may have to keep it all as one entry, just so the id field on the radcheck table is uniform and can correspond to the application database as well. I think I will modify the radcheck table (add column "serial number") and SQL queries. You have helped me find the best solution to this problem. Thanks for all of your help, Matthew. David -- David Teston PINES System Administrator http://georgialibraries.org On Tue, Nov 29, 2016 at 11:33 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Nov 29, 2016 at 11:16:56AM -0500, David Teston wrote:
I guess you've got somewhere a record with a serial number, password and optional user name.
For testing, I'm copying credentials from an application we use/host which does include all of those.
Your simplest solution may then be to just create two identical entries in your SQL database for each set of credentials. One with username = the username, and the other with username = serial number.
That will keep your FreeRADIUS config much simpler.
User logs in with serial: User-Name = "987688113"
The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id;
The SQL statements can all be modified, so you should be able to do something with it along these lines.
But breaking it down to its simplest, one person can log in with two accounts. So put two accounts in the database.
Otherwise, use unlang to work out what type of username is being used, and depending on that call the appropriate sql module, or use the appropriate sql statements.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Nov 29, 2016, at 11:16 AM, David Teston <dteston@georgialibraries.org> wrote:
I will be using EAP. If I leave unlang as is, I could rely on SQL to look for the username/serial. For example:
select * from radcheck; id | username | attribute | op | value | serial ----+---------------+----------------------+----+---------------+----------------- 1 | myself | User-Password | := | test-pass | 987688113
User logs in with serial: User-Name = "987688113"
The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id;
Please don't do that. It is overly complex and fragile. Go read my previous message. That solution will work, and will be enormously simpler. Alan DeKok.
[From my initial message] let /policy.d/filter determine how to process it. [From your first message] when someone logs in using a serial number, look that up in the table, get the name.
How will it know whether or not they're using a serial number?
have a table which maps serial numbers to User-Names.
Could I just add a "serial" column to the radcheck table? -- David Teston PINES System Administrator Georgia Public Library Service 1800 Century Place, Suite 150 Atlanta, GA 30345 Office: 404-235-7206 Mobile: 404-623-8676 dteston@georgialibraries.org http://georgialibraries.org On Tue, Nov 29, 2016 at 11:39 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 29, 2016, at 11:16 AM, David Teston <dteston@georgialibraries.org> wrote:
I will be using EAP. If I leave unlang as is, I could rely on SQL to look for the username/serial. For example:
select * from radcheck; id | username | attribute | op | value | serial ----+---------------+----------------------+----+----------- ----+----------------- 1 | myself | User-Password | := | test-pass | 987688113
User logs in with serial: User-Name = "987688113"
The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id;
Please don't do that. It is overly complex and fragile.
Go read my previous message. That solution will work, and will be enormously simpler.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Tue, Nov 29, 2016 at 11:52:39AM -0500, David Teston wrote:
[From my initial message] let /policy.d/filter determine how to process it. [From your first message] when someone logs in using a serial number, look that up in the table, get the name.
How will it know whether or not they're using a serial number?
Regex? e.g. if (&User-Name =~ /^\d+$/) { }
have a table which maps serial numbers to User-Names.
Could I just add a "serial" column to the radcheck table?
Re-reading Alan's message, he's right - leave the standard table as-is and just add a new table with a cross-reference to lookup, and set Stripped-User-Name to whichever is the canonical username. So *something* like (off the top of my head, probably some syntax errors) if (&User-Name =~ /^\d+$/) { update request { Stripped-User-Name := &User-Name } } else { update request { Stripped-User-Name := %{sql:select serial from usertable where username = '%{User-Name}';} } } Then look up Stripped-User-Name in your normal sql tables. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Nov 29, 2016, at 11:52 AM, David Teston <dteston@georgialibraries.org> wrote:
[From my initial message] let /policy.d/filter determine how to process it. [From your first message] when someone logs in using a serial number, look that up in the table, get the name.
How will it know whether or not they're using a serial number?
How will *you* now it's a serial number? It's not like the contents of the User-Name are secret. You know what they are, and you can look at them to see which ones are serials and which ones are not. Then, write "unlang" rules to tell them apart. Or even simpler, just look up every User-Name in the table, as if the User-Name was a serial number. If something is found, the User-Name must have been a serial number. If nothing is found, the User-name is not a serial number.
have a table which maps serial numbers to User-Names.
Could I just add a "serial" column to the radcheck table?
Maybe. I'd avoid changing the default configuration / schema / queries. It makes upgrading more difficult. Adding one more table && a single SELECT statement is rather a lot simpler. Alan DeKok.
On Nov 29, 2016, at 10:27 AM, David Teston <dteston@georgialibraries.org> wrote:
I'd like to enable users to enter their username OR serial number as the &User-Name variable, then let /policy.d/filter determine how to process it.
What does that mean? When the user logs in, the server gets a User-Name attribute. It has no idea if the contents are a user name, or a serial number. It has no idea that user "bob" is really the same person as serial number "123456".
This would also require that I add an attribute in the radcheck table and restructure my SQL queries.
To do... what? Be specific.
The serial number is stored as text. All users know their serial numbers, but not all users have a username which is how this issue arose.
Any advice would be helpful. Thanks in advance,
The description of this problem is vague at best. It's difficult to give advice when you're not clear what you're doing, or what you need. Describe the problem not the solution you've came up with. Describe what you see in a packet. Give examples. Describe what you need to happen. e.g. user "bob" gets the same policy / whatever as user "123456". TBH, based on your vague description, the simplest thing to do is to have a table which maps serial numbers to User-Names. Then, when someone logs in using a serial number, look that up in the table, get the name. Set the Stripped-User-Name to the name you get from the table. And then base all of your remaining policies on the real name, e.g. "bob". The recommended approach to these issues is to simplify the problem. Find a way to turn two things into one thing. Don't increase the complexity by allowing two different things everywhere in the server. That's a nightmare which will be impossible to maintain or debug. Alan DeKok.
participants (3)
-
Alan DeKok -
David Teston -
Matthew Newton