How to distinguish good or bad user using unlang and passwd module?

Sun Mar 8 17:43:27 CET 2009

tnt at kalik.net wrote:
>> I am using a passwd module to authorize users.
>>     
>
> No, you are using passwd module to store passwords.
>
>   
>> First passwd module
>> checks
>>     
>
> It doesn't check anything - it returns the password stored for that user.
>
>   
>> cisco_users file (format = "*User-Name:Cleartext-Password") and
>> then passwd module must check cisco_groups file (format =
>> "~Cisco-Group:*,User-Name"). However when passwd module checks the
>> cisco_user file, it returns status "ok" even when user password (in
>> request packet) doesnt match with cisco_user file.
>>     
>
> As it should. As I mentioned before: it doesn't check passwords.
>
>   
>> So i am able to
>> distinguish users only by their User-Name, but i need to check their
>> passwords as well.
>>     
>
> Why? pap module does that.
>
>   
>> I cannot figure out how to write that in my authorize
>> section.
>>     
>
> Perhaps because that is not authorization but authentication.
>
>   
>> Later, if username and password matches an entry in my
>> cisco_user file i will call cisco_group file and find to which group
>> that user belongs to assign the right services.
>>     
>
> Well, freeradius does that before. You can actually reject the user
> during authoriyation and not go for authentication at all.
>
>   
>> currently my code looks like this:
>>
>> passwd cisco_user_module {
>>        #filename = /etc/group
>>        filename = /usr/local/etc/raddb/cisco_users
>>        #format = "=Etc-Group-Name:::*,User-Name"
>>        format = "*User-Name:Cleartext-Password"
>>        hashsize = 100
>>        ignorenislike = yes
>>        allowmultiplekeys = yes
>>        delimiter = ":"
>> }
>>
>> authorize {
>>        cisco_user_module
>>                if(notfound){
>>                        update control{
>>                                Auth-Type := Reject
>>                                }
>>                        update reply{
>>                                Reply-Message := "Access denied, sorry!"
>>                                }
>>                }
>>                elseif(ok){
>>                        cisco_group_module
>>                }
>> }
>>     
>
> Make that just:
>
> authorize {
>      cisco_user_module
>      cisco_group_module
>      pap
> }
>
> and than in post-auth
>
> Post-Auth-Type REJECT {
>      update reply {
>           Reply-Message := "Access denied, sorry!"
>      }
> }
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
Thank You a lot, Ivan, You made my mind clearer! ;)