Go to the first, previous, next, last section, table of contents.


Authentication with Scheme

The Scheme procedure used for authentication must be declared as follows:

Function Template: auth-function request-list check-list reply-list
Its arguments are:
request-list
The list of A/V pairs from the incoming request
check-list
The list of A/V pairs from the LHS of the profile entry that matched the request.
reply-list
The list of A/V pairs from the RHS of the profile entry that matched the request.

The function return value determines whether the authentication will succeed. The function must return either a boolean value or a pair. The return of #t causes authentication to succeed. The return of #f causes it to fail.

If the function wishes to add something to the reply A/V pairs, it should return a pair in the form:

        (cons return-code list)

Where return-code is a boolean value of the same meaning as described above. The list is a list of A/V pairs to be added to the reply list. For example, the following function will always deny the authentication, returning appropriate message to the user:

    (define (decline-auth request-list check-list reply-list)
      (cons #f
            (list
             (cons "Reply-Message"
                   "\r\nSorry, you are not allowed to log in\r\n"))))

As a more constructive example, let's consider a function that allows the authentication only if a user name is found in its internal database.

    (define staff-data
      (list
       (list "scheme"
             (cons
              (list (cons "NAS-IP-Address" "127.0.0.1"))
              (list (cons "Framed-MTU" "8096")))
             (cons
              '()
              (list (cons "Framed-MTU" "256"))))))
      
    (define (auth req check reply)
      (let* ((username (assoc "User-Name" req))
             (reqlist (assoc username req))
             (reply-list '()))
        (if username
            (let ((user-data (assoc (cdr username) staff-data)))
              (rad-log L_INFO (format #f "~A" user-data))
              (if user-data
                  (call-with-current-continuation
                   (lambda (xx)
                     (for-each
                      (lambda (pair)
                        (cond
                         ((avl-match? req (car pair))
                          (set! reply-list (avl-merge
                                            reply-list
                                            (cdr pair)))
                          (xx #t))))
                      (cdr user-data))
                     #f)))))
        (cons
         #t
         reply-list)))

To trigger the invocation of the Scheme authentication function, assign its name to Scheme-Procedure attribute in RHS of a corresponding `raddb/users' profile. E.g.:

    DEFAULT Auth-Type = SQL
            Scheme-Procedure = "auth"


Go to the first, previous, next, last section, table of contents.