Handling user based on an attribute in a dynamic manner

Sat Feb 10 14:39:43 CET 2018

On Feb 10, 2018, at 5:26 AM, Nathan Ward <lists+freeradius at daork.net> wrote:
> 
> 
> I’m working on a solution where I need to auth differently, and return different attributes based on a user’s access type. I can see the interface that a user has arrived on, and from that look up the access type. We have maybe 100 different interfaces which can change a bit, divided in to 3 or 4 different access types. Once I know the access type, I can choose which of the other attributes I use to authenticate the user. We run 3.0.16 (or will by the time this is deployed).
> 
> I’m trying to figure out a good way to map those 100 interfaces to access types, without a change meaning a restart.
> 
> We run LDAP right now, we don’t have SQL servers running on our front end servers, and I’d rather avoid it.
> 
> Right now, I’m considering SQLite, but I’m not certain how it would handle:
> 1) A 3rd party process opening the db file to write periodically - I see posts about only one writer, and that’s fine I only want one writer, but I want to write from a different application.. is that OK?

  Yes.

> 2) Changes to the file, would they require a restart - I presume the DB file is not cached in memory in FreeRADIUS somehow, but that’s just a guess.

  They won't require a restart.  If the updates are fast (i.e. sub millisecond), it won't really affect the server much.

> Our auth load is quite manageable, so, if a request blocked for a second or two while the write was happening that would be OK - but errors/false negatives would be bad.

  Updates should be less than 1ms in the normal case.

> Can anyone help with these before I go spending a bunch of time testing?
> 
> Any other solutions I should consider? A server restart is always an option, but, I’d rather avoid it if possible.

  rlm_passwd can do this, too.  See "man rlm_passwd"

  Alan DeKok.