Hi all,
This is a rather detailed question, since it relates to the source code of freeRADIUS,
but I'm trolling to see if anyone has come across this or what a freeRADIUS expert
might suggest as a solution.
Configurable failover in working for me in the authorize section. Also, I've built an
authenticate section in rlm_files so that now configurable failover is working in the
authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another
realm as the failover.
Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to
configure failover if an account is expired, since account expiration doesn't seem to
be part of the authorize section.
Code details:
In src/main/auth.c:rad_authenticate, it loops over the registered and configured
modules with an authorize section, then it checks to see if it needs to proxy, then it
performs the authentication. Authentication starts by checking the account expiration
followed by checking the password, and so on. Checking the password
(rad_check_password) includes calling the appropriate module_authenticate. So
checking account expiration is stuck in a "no mans land" between authorization and
authentication. Is there a way for me to include expiration as a rejection of
authentication in configurable failover or do I need to hack the source code ?
Around line 550 of src/main/auth.c in rad_authenticate:
/*
* Validate the user
*/
do {
if ((result = check_expiration(request)) < 0)
break;
...
Around line 710 of src/main/auth.c in rad_authenticate:
/*
* Result should be >= 0 here - if not, we return.
*/
if (result < 0) {
return RLM_MODULE_OK;
}
Note: check_expiration returns -1 if the account has expired.
Thanks in advance,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
