Can I define an internal attribute for a module?
Alan DeKok
aland at deployingradius.com
Tue Oct 2 12:53:53 CEST 2018
On Oct 2, 2018, at 6:33 AM, Alejandro Perez-Mendez <alex.perez-mendez at jisc.ac.uk> wrote:
> The doubt I have is where and how to store the OTP secret codes. So far, for development, I have a Python dictionary defined on the Python module with all the User-Name -> Secret key associations, but having these on the code is not a good practice and it requires managing two user lists, one for authentication (users file or SQL DB or LDAP...) plus this OTP secret list. This might lead to inconsistencies.
>
> The first option I thought of was to make use of the config {} subsection of the python module, but it would still be a second user list (besides the main one used for authentication).
>
> Then I thought that I might be able to define an internal attribute (similar to Cleartext-Password) that contained the OTP secret. It would be defined as follows:
>
> ATTRIBUTE OTP-Secret 3000 string
That's possible...
> And then use it on the "users" file or on the DB as follows:
>
> alex at test.org Cleartext-Password := "OneTestingPassword", OTP-Secret := "7MR674BRPXXNYGGMPFA52MW6GSMA6JQL"
>
> This way I would be able to define the OTP Secret right next to the user password, on any backend that I'd like to use (users file, LDAP, SQL...).
>
> I've tested it and it works, so question is: Can I define internal attributes for private module usage? If so, how are numbers allocated? Can I use any number I want if it's not currently in use?
The "on the wire" numbers are allocated by IANA. The "internal" numbers are allocated by us, via dictionary.freeradius.internal.
The question is: who is going to use this functionality? If it's just you, then use raddb/dictionary, and the numbers there. If it's the general FreeRADIUS community, then send a pull request for dictionary.freeradius.internal. If it's some people but not a lot, then it's difficult to say what the best choice is.
Alan DeKok.
More information about the Freeradius-Users
mailing list