specifying back end to proxy on per-user basis

Alan DeKok aland at deployingradius.com
Fri Aug 22 22:48:37 CEST 2008 

Greg Woods wrote:
> I can't find any information on groups except for the "chroot" group and
> huntgroups, and neither of those appears to be related to what I'm
> trying to do. I grepped all the config files and there's no "man 5
> groups". Can you point me to the documentation on groups?

  Use *any* kind of groups.  Unix groups, groups in SQL, or groups
defined on the server.  See "man rlm_passwd" for an example.

> Since the requests are all generated by the same clients, nothing is
> different. What I need is to be able to have certain users proxied to
> the s/key back end server, and the rest of them proxied to the default
> otp back end server. So whatever I come up with has to be able to key on
> the User-Name attribute. 

  See "man rlm_passwd".  You will need to put the s/key users int a
group, and proxy based on membership in that group.

>>  Where is that information stored?
> 
> That is what I am trying to figure out.

  No... where do *you* want to store the information about which user
belongs in which group.

> Certainly, the User-Name
> attribute is coming in as part of the Access-Request packet. I want to
> be able to decide, based on the value of that attribute, which realm it
> should be proxied to (or if realms isn't the right way to do this, in
> some way based only on User-Name I have to be able to proxy to different
> back end servers).

  And where do you want to store that information?

> It appears from the comments in the preproxy_users file that this may be
> where I should be doing this. But it doesn't work because the authorize
> section has previously determined the realm.

  pre-proxy is done *after* the decision has been made to proxy the request.

> Apparently User-Name is immutable. But it doesn't look like I can set
> Realm either because that is always determined from User-Name. Catch-22.

  No.   If you don't need the "realms" module, then delete the
references to it.  That's why the configuration files are editable.  You
*can* edit them.

  Alan DeKok.

More information about the Freeradius-Users mailing list