rlm_perl question (was Re: General question about authentication/authorization)

George C. Kaplan gckaplan at ack.berkeley.edu
Fri Mar 17 23:22:45 CET 2006


Phil Mayers wrote:
> George C. Kaplan wrote:

>> I've been wondering about this, in relation to the rlm_perl module.  We
>> see "Don't set Auth-Type in the users file" all over the place, but with
>> rlm_perl, the %RAD_CHECK hash is read-only.  So if I'm using perl for
>> authorization, I *have to* set the Auth-Type in the users file.
> 
> You shouldn't really ever have to set it AT ALL, EVER, though some of
> the fixes that make that a doable proposition are only in newer (CVS?)
> versions of FR - e.g. the reworking of the PAP module, optional setting
> of the Auth-Type on the ldap module, {algo} detection in the
> User-Password field, and so forth.
> [...]
> The only case I can see where you need to Auth-Type is when you have a
> need for >1 copy of an authentication algorithm with different
> parameters e.g. for different services. 

Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module.  (As Alan points out, you have to know what you're doing to make
this work).

> This can typically be handled
> more cleanly IMHO with Autz-Type. So, for example:
> 
> modules {
>   # shared modules - no state, irrelevant which service they answer
>   chap {
>     authtype = CHAP
>   }
>   # service 1 modules
>   mschap mschap1 {
>     # we'll to MS-CHAP internally
>     authtype = MS-CHAP1
>   }

Right; you configure each authorization module to set the appropriate
Auth-Type.

In my case, I'm using a combination of LDAP and perl for authorization
(see my reply to Florian Prester earlier) and Kerberos for
authentication.  There's no place in the LDAP module config to set
Auth-Type (although maybe that'll change soon, as you note), and I
couldn't do it in the perl module (in the config or the script) either.

>> This isn't really a problem (since it all works the way I want), but it
>> seems inconsistent, especially considering that other modules can modify
>> the request or check items.  So, why were %RAD_CHECK and %RAD_REQUEST
>> made read-only?

> I can't say specifically in that case. It does seem odd. But that still
> doesn't make setting Auth-Type any cleaner ;o)

Well, if you're using rlm_perl for authorization, you're already doing
something out of the ordinary, so you really need to know what you're
doing in the first place.  It seems better to set the Auth-Type there
than in the users file, where the more mundane parts of the RADIUS
config live.

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley



More information about the Freeradius-Users mailing list