> How can i make those "bad" users unable to use modem pool while keeping the file "users"
> short and simple (i.e. to keep no more than one record for each "denied"
> user in "users" file) ?
>
> Thanks for your answer
( Warning code snippet included. If it turns your stomach, ignore it)
We've patched radiusd.c to check a file to see if the user is currently
disabled. (We use the file instead of some more interesting way of doing
it because a lot of our programs interface with this file to check to see
if the user is allowed to access things).
Admittedly, it causes radius to open another file whenever a user logs
in, but it opens up quite a few already, so we didn't consider it too bad.
In the function rad_authenticate, you'll find this code segment:
/* Validate the user */
/* Look for matching check items */
result = 0;
user_msg = (char *)NULL;
check_item = user_check;
^^^^ * our code goes here * ^^^^
while(result == 0 && check_item != (VALUE_PAIR *)NULL) {
insert this snippet:
/* Don't let disabled users on */
denyfile = fopen(DENYFILE, "r");
if (denyfile) {
while (fgets(denylist, 126, denyfile)) {
strposme = strchr(denylist, '\n');
if (strposme) *strposme = '\0';
if (!(strcmp(denylist, namepair->strvalue))) {
user_msg = "Your account has expired\n";
result = -1;
break;
}
}
fclose(denyfile);
}
You'll have to #DEFINE DENYFILE to be the full path of the file that
denies access, and declare a FILE *denyfile and a char *strposme and a
char denylist[somevalue] (somevalue should be a few longer than the
longest username you've got).
It's not pretty, and it lets the user try to log on 3 times. Is there a
way in radius to force a hangup? I really haven't gotten in to the code
yet, I just patched it so that our expired users couldn't log on.
-Dave Andersen
--
angio@aros.net Complete virtual hosting and business-oriented
system administration Internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual/
"She totally confused all the passing piranhas"