Opposite of Expiraton attribute?
Matthew George
mgeorge at geores.net
Sat Jun 18 20:30:19 CEST 2011
Thanks you so much for your assistance p.mayers
In a nutshell, probably the easiest way to do what I'm trying to do is maybe
to use an attribute called "Current-Time-Date"
This way I could use the >= operator in the radcheck table for mysql to
verify when a user is attempting to authenticate that it is currently equal
to or greater than the time they are allowed to authenticate.
This way I have the ability to control exactly when the account should be
accepted and I'll be able to use the "Expiration" attribute to control when
the account should no longer be accepted.
I'm currently using MySQL.
To give you the whole picture of what I'm trying to do. I have a gentleman
that is currently developing a php scheduling engine that will allow users
to sign up and register for free cisco lab time so they can use the lab with
the workbook I've created which is also free for preparation for the CCNA
exam. More information can be found at http://www.freeccnaworkbook.com/lab
The only thing holding all this back at the moment is getting this specific
attribute to work as required. I would rather have freeradius do this with
an attribute instead of have this guy figure out a work around to do the
same thing.
-----Original Message-----
From: freeradius-users-bounces+mgeorge=geores.net at lists.freeradius.org
[mailto:freeradius-users-bounces+mgeorge=geores.net at lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Saturday, June 18, 2011 3:04 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Opposite of Expiraton attribute?
On 06/17/2011 11:50 PM, Matthew George wrote:
> Using logintime I cannot specify a date and time, its uucp.
>
> I need to be able to specify a date and time. I'm curious as to why
> the "Date" attribute does not exist.
>
> None the less, I still need to get this working even if it involves me
> having to pay someone.
I can think of a few ways of doing this; you probably don't need to pay
someone. At the end of the day, it's just an attribute comparison. All you
need to do is make sure the attributes are populated.
Can you be a bit more specific about where you want to read the validity
range from, and how you want to do the comparisons? Are they stored in SQL
or LDAP for example? What format are they stored in?
Here's an example of how you could implement it yourself, using unix
timestamps read from a file, and integer comparisons:
raddb/dictionary:
ATTRIBUTE Account-Starttime 3000 integer
ATTRIBUTE Account-Endtime 3001 integer
ATTRIBUTE Current-Time 3002 integer
raddb/policy.conf:
policy {
check_validity {
update control {
Current-Time := "%l"
}
if (Account-Starttime > control:Current-Time) {
update reply {
Reply-Message := "account not yet active"
}
reject
}
if (Account-Endtime < control:Current-Time) {
update reply {
Reply-Message := "account no longer active"
}
reject
}
}
}
raddb/modules/start_end_time:
passwd start_end_time {
# Entries in this file are of the format:
#
# username:epochstart:epochend
#
# date -d "$THEDATE" +%s can be used to convert strings
# to epoch at the unix shell
filename = ${raddbdir}/start_end
format = "*User-Name:~Account-Starttime:~Account-Endtime"
}
raddb/sites-enabled/xxx:
authorize {
....
# read the validity from file
start_end_time
# check it
check_validity
...
}
But there are probably very many ways of doing this. If you can be more
specific, I or others can make more suggestions, but better would be to
break the problem down into parts, then look at the tools FreeRADIUS gives
you (namely - lots of ways to populate attributes from data sources, and
lots of ways to compare them) and factor a solution.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list