Ok,
That's interesting. So if neither CUI nor User-Name are set, but the authorization and authentication succeeded, that's acceptable? Which of the two attributes is used for local user mapping (i.e. for home directories in an SSH context) - I assume (based on the Wiki docs) it should be User-Name?
With Regards
Stefan
-----Original Message-----
From: Sam Hartman [mailto:[log in to unmask]]
Sent: 16 May 2013 15:12
To: Paetow, Stefan (DLSLtd,RAL,DIA)
Cc: [log in to unmask]
Subject: Re: Is RADIUS attribute User-Name still required for SSH?
>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> Hi, As part of our work in this space, we?ve been working
Stefan> primarily with the Chargeable-User-Identity, but part of the
Stefan> older Wiki docs still appear to require the User-Name
Stefan> attribute to be set by the RADIUS server? Is this still
Stefan> required, and if so, for how long?
Username is required if your service wants to know the username.
The username will be what GSS-API returns to the application as the username.
If no username is set then the connection will be treated as anonymous.
If your application looks at other attributes to make authorization decisions then this is fine.
Making authorization decisions based on chargable-user-identity doesn't seem like it uses that attribute correctly. As I understand things, that attribute is intended for accounting purposes.
--Sam
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|