specifying back end to proxy on per-user basis

Greg Woods woods at ucar.edu
Fri Aug 22 21:45:10 CEST 2008

On Fri, 2008-08-22 at 20:25 +0200, Alan DeKok wrote:
> Greg Woods wrote:
>  I have to find a
> > way to specify in the front end proxy on a per-user basis which back end
> > server should be used.
>   Use groups, or *something* else.

I can't find any information on groups except for the "chroot" group and
huntgroups, and neither of those appears to be related to what I'm
trying to do. I grepped all the config files and there's no "man 5
groups". Can you point me to the documentation on groups?

>   What's in the request packet that make S/key different from the other
> authentication modules?  

Since the requests are all generated by the same clients, nothing is
different. What I need is to be able to have certain users proxied to
the s/key back end server, and the rest of them proxied to the default
otp back end server. So whatever I come up with has to be able to key on
the User-Name attribute. 

> How can you distinguish between the two kinds
> of requests? 

Only by what the User-Name is. 

>  Where is that information stored?

That is what I am trying to figure out. Certainly, the User-Name
attribute is coming in as part of the Access-Request packet. I want to
be able to decide, based on the value of that attribute, which realm it
should be proxied to (or if realms isn't the right way to do this, in
some way based only on User-Name I have to be able to proxy to different
back end servers).

It appears from the comments in the preproxy_users file that this may be
where I should be doing this. But it doesn't work because the authorize
section has previously determined the realm. I also tried using the
users file to set Realm, overwrite User-Name with user at SKEY, and none of
this worked either. While the debug output shows that the users entry
matched, it doesn't actually change the value of Realm or User-Name. I
always get something like this:

rad_recv: Access-Request packet from host port 58207, id=208,
        User-Name = "woods"
        User-Password = "CURRENT SKEY PASSPHRASE"
        NAS-IP-Address =
        NAS-Port = 0
+- entering group authorize
    users: Matched entry woods at line 1
++[files] returns ok
    rlm_realm: No '@' in User-Name = "woods", looking up realm NULL

This is even if I have in users:

woods User-Name := woods at SKEY

Apparently User-Name is immutable. But it doesn't look like I can set
Realm either because that is always determined from User-Name. Catch-22.

    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "woods"
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Proxying request from user woods to realm NULL
    rlm_realm: Preparing to proxy authentication request to realm
++[NULL] returns updated
+- entering group pre-proxy
    preproxy_users: Matched entry woods at line 32
++[files] returns ok

In any case I think I have figured out that doing it in users isn't the
right approach, because the documentation says this only modifies the
reply, and a proxied request isn't exactly a reply. That's probably why
this method doesn't work.

But doing it in pre-proxy is obviously too late, as the realm is already
determined by the time pre-proxy is entered. It actually works here to
change the User-Name value to "woods at SKEY", but it's still proxying that
new username to the NULL realm server.


More information about the Freeradius-Users mailing list