RE: Grouping after Kerberos 5 authentication accepted?
Thank you Alan. I read the documentations and now I'm able to use Kerberos and MySQL along with FreeRadius. Thank you for your help. However, I'm stuck in the last part of the project which is to reply the accept request along with assigned attributes. For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty. So, I edited the postauth_query in sql.conf: postauth_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" I can't get the 'Service-Type = Administrative-User' in the accept-reply package. Am I missing something here? Any help would be appreciated. Regards, Jason -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Thursday, April 19, 2007 10:27 AM To: jchan2@utm.utoronto.ca Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote:
You are correct, the grouping isn't come from Kerberos. I'm going to build a mysql database in the FreeRadius server to handle all the grouping/permissions. What fields do I need for the database? I searched on the FreeRadius website and I can't find any information related to SQL
See the "doc" directory. There are schemas and examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM
Jason Chan wrote:
For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty.
So, I edited the postauth_query in sql.conf:
I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello Alan, It works! After I changed the authorize_check_query the FreeRadius is now able to check for attributes after Kerberos authentications. Thanks! Regards, Jason -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Thursday, April 19, 2007 8:13 PM To: jchan2@utm.utoronto.ca; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? Jason Chan wrote:
For example, Kerberos successfully authenticate admin/admin (yes I don't use MySQL for authentication), and FreeRadius knows this user has permission to access. Now, in the postauth part, FreeRadius searches the radreply table in its MySQL database for the proper attributes that this particular user has, say Service-Type = Administrative-User. I store these attribute information in radreply table and leave other tables empty.
So, I edited the postauth_query in sql.conf:
I think for historical reasons, you have to perform the query in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007 5:32 AM
participants (2)
-
Alan DeKok -
Jason Chan