Re: [Help-gnu-radius] Radius replacement

help-gnu-radius

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Radius replacement

From:	Sergey Poznyakoff
Subject:	Re: [Help-gnu-radius] Radius replacement
Date:	Fri, 19 Aug 2005 11:25:05 +0300

Derrick MacPherson <address@hidden> wrote:

> ntlm_auth can access the info, I've got squid doing so using:
> 
> auth_param ntlm program /usr/local/bin/ntlm_auth \
> --helper-protocol=squid-2.5-ntlmssp --require-\
> membership-of=S-1-5-21-1058564242-1277044956-825688854-1337\
>  Domain Group (2)
> 
> auth_param basic program /usr/local/bin/ntlm_auth \
> --helper-protocol=squid-2.5-basic
> 
> Is there a way for gnu-radius to interpert that data?

Yes, you can use filters[1] to do so. You will have to use
ntlm-server-1 helper protocol and install a wrapper around ntlm_auth.
In general, the (untested) configuration will look like that:

1. Filter script (/usr/local/bin/ntlm-filter):

#! /bin/sh

NTLM_OPTIONS=--require-membership-of=\
  S-1-5-21-1058564242-1277044956-825688854-1337

while read USER PASS
do
        echo "Username: $USER"
        echo "Password: $PASS"
        echo "."
done |
 ntlm_auth --helper-protocol=ntlm-server-1 $NTLM_OPTIONS |
 (status=No
 message=""
 while read RESULT REST
 do
        case $RESULT in
        Authenticated:)
                status=$REST;;
        Authentication-Error:)
                message=$REST;; 
        .)      if [ $status = Yes ]; then
                   echo 0
                elif [ -n "$message" ]; then
                   echo "1 Reply-Message = \"$message\""
                else
                   echo 1
                fi
                status=No
                message=""
                ;;
         esac
 done)

# End of ntlm-filter        

2. raddb/config file:

filters {
        filter ntlm {
               exec-path "/usr/local/bin/ntlm-filter";
               error-log "ntml-filter.log";
               auth {
                    input-format "%C{User-Name} %C{User-Password}"
                    wait-reply yes;
               };
        };                               
};

3. raddb/users file:

DEFAULT   Auth-Type = Accept
          Exec-Program-Wait = "|ntlm"

Notice that this is only a framework, since I have not got any windows
machines to test it on, so you may need to tailor it to your needs.
As usual, feel free to write if you encounter any problems.

Regards,
Sergey

[1] For a detailed description of filters, please see
http://www.gnu.org/software/radius/manual/html_node/radius_102.html#SEC192

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnu-radius] Radius replacement, Derrick MacPherson, 2005/08/11
- Re: [Help-gnu-radius] Radius replacement, Sergey Poznyakoff, 2005/08/12
  - Re: [Help-gnu-radius] Radius replacement, Derrick MacPherson, 2005/08/12
    - Re: [Help-gnu-radius] Radius replacement, Sergey Poznyakoff, 2005/08/15
    - Re: [Help-gnu-radius] Radius replacement, Derrick MacPherson, 2005/08/15
    - Re: [Help-gnu-radius] Radius replacement, Sergey Poznyakoff, 2005/08/17
    - Re: [Help-gnu-radius] Radius replacement, Derrick MacPherson, 2005/08/17
    - Re: [Help-gnu-radius] Radius replacement, Sergey Poznyakoff <=

Prev by Date: Re: [Help-gnu-radius] User-Password character
Next by Date: Re: [Help-gnu-radius] User-Password character
Previous by thread: Re: [Help-gnu-radius] Radius replacement
Next by thread: [Help-gnu-radius] Showing Connect-Info
Index(es):
- Date
- Thread