Have spent many hours searching and no luck so far,
I am looking for a clean way to group devices in freeradius for policy reference.
I tried creating a custom dictionary attribute (Device-Group) and applying it under the client definition
client cisco_device {
ipaddr = 1.2.3.4
Device-Group = Cisco_ISRs
}
and then in the authorization section:
if (&Device-Group == 'Cisco_ISRs') {
&cisco-avpair := 'priv-lvl 15'
}
But looking at the debug, custom dictionary attributes dont apply with clients.
The only alternative I have so far relies on naming conventions. i.e.
client cisco_site1 {
#blah blah
}
authorize {
if (&Client-Shortname =~ '/^cisco_./') {
#blah blah
}
}
but it would be nicer to have it in defined groups.
Any insight or ideas would be greatly appreciated.
Related
There is my irule config as below :
when HTTP_REQUEST {
switch [HTTP::query] {
"*NetTest0*" {
HTTP::respond 200 content "NetTest0()"
}
"*NetTest1*" {
HTTP::respond 200 content "NetTest1()"
}
"*NetTest2*" {
HTTP::respond 200 content "NetTest2()"
}
"*NetTest3*" {
HTTP::respond 200 content "NetTest3()"
}
}}
Is there any method can get uri as a variable, and replace NetTest0 to NetTest0()?
you can use the HTTP::uri command to get and set the URI. Depending on the complexity of your replacements, you can use string map (preferred for performance reasons) or regsub (avoid if possible, but useful if you need it.)
Here are a couple examples of the string map that should help you get started:
https://community.f5.com/t5/technical-forum/variable-in-a-string-map/td-p/263863
https://community.f5.com/t5/technical-forum/string-map-with-variables-including-quotes/td-p/252969
We recently launched a new platform and engaging on DevCentral is far easier than before, feel free to join us there for future F5-related questions!
I'm looking for solution how to get a hostname from Nagios/Icinga by searching it by custom variable with cmd/status.cgi.
I have a custom variable with unique specific IDs on every host. I have to get the hostname by searching on ID. There is a documentation for CGI commands but I could not find the needed functionality: https://icinga.com/docs/icinga1/latest/en/cgiparams.html
UPD: I am using python for CGI requests. Maybe there is also a library to do that.
Does anyone know, if it is possible?
For Nagios at least, this is possible. You can call the host details on the objectjson.cgi for a hostgroup and in your result.json(), you would have the custom_variables for each of the hosts. With that, you can map an ID to the hostname.
make your request to https://<your_url>/nagios/cgi-bin/objectjson.cgi?query=hostlist&details=true&hostgroup=<your_hostgroup>
{...
"data": {
"hostlist": {
"<host1>": {
....
"custom_variables": {
<custom host variables dict>
},
"<host2>": {
....
}
}
}
}
untested! using python's requests module:
hostlist = result.json().get('data').get('hostlist')
id_map = {hostlist.get(host).get('custom_variables').get('your_id_key'):host for host in hostlist.keys()}
Im building a freeradius server for authenticate.
I have a problem with policy.conf:
The policy.conf was loaded in radius.conf as $INCLUDE policy.conf but the content of this file didn't work.
I tested by login with 'test' user but it didn't reject. Can someone help me about this, thanks very much.
policy {
#
# Forbid all EAP types.
#
if (User-Name == 'test'){
reject
}
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /#|\\/) {
reject
}
}
}
First you need to give your policy a name (like the other policies in the policy section).
policy {
reject_test {
if (User-Name == 'test'){
reject
}
}
}
You then need to list the policy in one of the sections (authorize, authenticate, post-auth etc...) of one of the virtual servers.
See the concepts page in the FreeRADIUS wiki for some basic details about which sections get run and where.
If you're using a stock configuration you'll likely need to edit raddb/sites-available/default.
In this case you probably want to add your policy to the authorize section.
authorize {
reject_test
...
}
You don't actually need to define policies in order to run use the policy language, you could insert your condition directly into the authorize section.
authorize {
if (User-Name == 'test'){
reject
}
}
I am getting confused about Firebase Security. Here why...
For example; I have the following database:
clients: {
$key: {
//client data
}
}
trainer: {
$key: {
//trainer data
}
}
I need a client to be able to see their own information. I need a trainer to be able to see the information of all their clients, but not other trainers.
So client A, B and C can see their personal, private data. But Trainer A can only see client A and B's details (he doesn't train C).
The problem I run into is that you can't seem to request for example all clients, but only return the ones that checkout with security rules. As the docs state, if one in the list returns false, the whole bunch does.
How can I create the correct structure and security rules?
You should impliment something like adding clients to trainer as friend. Create a node sharedwith which contains trainer as child and trainer will contains A & B clients key and their data .
Similar to examples in the Firebase docs (https://firebase.google.com/docs/database/security/user-security), this might work for you.
I think at a minimum your structure could benefit from having a direct key tie between client and trainer. Something like
clients: {
clientA: {
trainerKey: "trainerA"
}
}
trainers: {
trainerA: {
clients: { clientA: true, clientB: true }
}
}
Security Rules - edited to include user
"clients": {
".read": "auth !== null && (root.child('trainers/' + $trainerKey + '/clients').child($uid).exists() || auth.uid == $uid")
}
This a) checks that a user is authenticated and b) looks to see if the client is in the list of clients for the trainer OR whether this is the client.
This is untested, but hopefully gets you where you're trying to go. I'm also making the assumption that your clients IDs are the same as their auth ID.
I'm new to Rails (but not new to web development in general). I'm using the mws-connect gem (https://github.com/devmode/mws) to connect to Amazon Marketplace Web Service. I'm trying to cancel an order, and according to the Amazon MWS API docs, the following xml code is what needs to be sent (as far as I can tell) :
<?xml version="1.0"?>
<AmazonEnvelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="amzn-envelope.xsd">
<Header>
<DocumentVersion>1.01</DocumentVersion>
<MerchantIdentifier> M_IDENTIFIER</MerchantIdentifier>
</Header>
<MessageType>
OrderAcknowledgment
</MessageType>
<Message>
<MessageID>1</MessageID>
<OrderAcknowledgement>
<AmazonOrderID>050-1234567-1234567</AmazonOrderID>
<StatusCode>Failure</StatusCode>
<CancelReason>Reason for cancellation</CancelReason>
</OrderAcknowledgment>
</Message>
</AmazonEnvelope>
The gem documentation isn't clear on how to do this since the examples are all for how to add or update a product listing, which I tested and works just fine. I've tried about every way I can think of to just build the "feed" request manually to submit it and use the rest of the class to handle the submission stuff since I know that works. The current example of the code that I have in a SalesOrder class is:
def self.cancel_amazon_order(amazon_order_id, cancel_reason)
mws = Mws.connect(
merchant: 'merchant_id',
access: 'access_key',
secret: 'secret'
)
cancel_feed = Mws::Feed.new 'merchant_id', :order_acknowledgement do
#messages << {
MessageID: '1',
OrderAcknowledgement: {
AmazonOrderID: amazon_order_id,
StatusCode: 'Failure',
CancelReason: cancel_reason
}
}
end
end
This code doesn't throw any errors, but when I try to do cancel_feed.to_xml (what I can see is the next step towards submitting the feed), I get an error saying
ArgumentError: Namespace indent has not been defined
Are there any rails pros out there that might have an idea how to make this gem work, either the to_xml method, or better yet how to get the cancel itself through? I feel like I'm not too far off. I'm coming from a PHP background, so my thought process on this is probably off a bit. I've loved Rails so far, but I'm pulling my hair out on this one, any help is appreciated!
In case anyone is interested, the solution I ended up with was:
mws = Mws.connect merchant: AMAZON_CONFIG['merchant_id'], access: AMAZON_CONFIG['access'], secret: AMAZON_CONFIG['secret']
cancel_xml = Nokogiri::XML::Builder.new do | xml |
xml.AmazonEnvelope('xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:noNamespaceSchemaLocation' => 'amznenvelope.xsd') {
xml.Header {
xml.DocumentVersion '1.01'
xml.MerchantIdentifier AMAZON_CONFIG['merchant_id']
}
xml.MessageType 'OrderAcknowledgement'
xml.Message {
xml.MessageID '1'
xml.OrderAcknowledgement {
xml.AmazonOrderID order_id
xml.StatusCode 'Failure'
items.each do | item |
xml.Item {
xml.AmazonOrderItemCode item[:item_code]
xml.CancelReason 'NoInventory'
}
end
}
}
}
end.to_xml
mws.feeds.submit cancel_xml, {feed_type: :order_acknowledgement}