Username OR Serial Number

David Teston dteston at georgialibraries.org
Tue Nov 29 17:16:56 CET 2016


>  I guess you've got somewhere a record with a serial number, password and
optional user name.

For testing, I'm copying credentials from an application we use/host which
does include all of those.

> If you're doing EAP then you can't rewrite the User-Name so will need to
come up with something else.

I will be using EAP. If I leave unlang as is, I could rely on SQL to look
for the username/serial. For example:

select * from radcheck;
 id | username |  attribute         | op |  value       | serial
----+---------------+----------------------+----+---------------+-----------------
  1 | myself     | User-Password | := | test-pass   | 987688113

User logs in with serial: User-Name = "987688113"

The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id;



--
David Teston
PINES System Administrator
Georgia Public Library Service
1800 Century Place, Suite 150
Atlanta, GA 30345
Office: 404-235-7206
Mobile: 404-623-8676
dteston at georgialibraries.org
http://georgialibraries.org

On Tue, Nov 29, 2016 at 10:51 AM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:

> On Tue, Nov 29, 2016 at 10:27:58AM -0500, David Teston wrote:
> > I'd like to enable users to enter their username OR serial number as the
> > &User-Name variable, then let /policy.d/filter determine how to process
> it.
> > This would also require that I add an attribute in the radcheck table and
> > restructure my SQL queries.
> >
> > The serial number is stored as text. All users know their serial numbers,
> > but not all users have a username which is how this issue arose.
>
> Haven't got a great deal of info about your setup, but I guess
> you've got somewhere a record with a serial number, password and
> optional user name.
>
> So unlang that looks at the User-Name and if it looks like a
> serial number, do the appropriate sql/ldap/other database lookup
> to pull that password into Cleartext-Password. Otherwise if it
> doesn't look like a serial number, lookup the username instead
> (watching the null case).
>
> Or alternatively, if you detect username not being a serial
> number, do some unlang to pull the correct appropriate serial
> number and replace the User-Name attribute with that, then proceed
> as normal.
>
> This sort of thing will work with PAP auth. If you're doing EAP
> then you can't rewrite the User-Name so will need to come up with
> something else... but same sort of idea. Look up the username
> that's relevant based on the form of User-Name you get.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list