rlm_passwd and Class -attribute

Tue Feb 20 13:55:23 CET 2007

Alan DeKok:
> Lasse Karstensen wrote:
>> We're running freeradius 1.0.5
>   You should upgrade.  http://freeradius.org/security.html

This is (hopefully) already patched by the SUSE Security team.

>> This Class -attribute is based on with password file (rlm_passwd) that had
>> the user in question. 
>   Ok...
>> Previously I've just hacked this together with Exec-Program-Wait in the users
>> -file and a shell script, but I'm now looking for a cleaner solution. 
>   The passwd module would work well.  What's wrong with that?

I probably was a bit unclear.

radiusd.conf:
"""
        passwd foo_smbpasswd {
                filename = /etc/raddb/var/foo-smbpasswd.ntlm
                format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
                hashsize = 10000
                ignorenislike = no
                allowmultiplekeys = no
        }

        passwd foo_passwd {
                filename = /etc/raddb/var/foo-passwd.crypt
                format = "*Stripped-User-Name:Crypt-Password:"
                hashsize = 10000
                ignorenislike = no
                allowmultiplekeys = no
        }
"""

This exists both for foo and bar, ie there are two different sets of password files.

Further down:
"""
authorize {
        suffix
        eap
        mschap
        files
        foo_passwd
        foo_smbpasswd
        bar_passwd
        bar_smbpasswd
}
"""

In the users file:
"""
DEFAULT
       Exec-Program-Wait = "/usr/local/bin/deduceClass /etc/raddb/var/bar-passwd.crypt",
       Fall-Through = Yes
"""

deduceClass has the pseudocode:
class=foo
if user exists in bar-passwd.crypt: class = bar
print "Class = $class"

This seems to add the Class attribute to auth-accept packets.

So. What I want, is to set the Class attribute to either 'foo' or 'bar', so that our
vpn concentrator can differ between the two.

-- 
Lasse