Re: Can't seem to use configurable failover for an expired account

Wed, 14 Jul 2004 06:08:14 -0700 

On Tue, 13 Jul 2004, Roy, Daniel wrote:

> Hi all,
>
> This is a rather detailed question, since it relates to the source code of 
> freeRADIUS, but I'm trolling to see if anyone has come across this or what a 
> freeRADIUS expert might suggest as a solution.
>
> Configurable failover in working for me in the authorize section.  Also, I've built 
> an authenticate section in rlm_files so that now configurable failover is working in 
> the authenticate section (for MS-CHAP in my case).  In both cases I'm proxying to 
> another realm as the failover.
>
> Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to 
> configure failover if an account is expired, since account expiration doesn't seem 
> to be part of the authorize section.
>
> Code details:
> In src/main/auth.c:rad_authenticate, it loops over the registered and configured 
> modules with an authorize section, then it checks to see if it needs to proxy, then 
> it performs the authentication.  Authentication starts by checking the account 
> expiration followed by checking the password, and so on.  Checking the password 
> (rad_check_password) includes calling the appropriate module_authenticate.  So 
> checking account expiration is stuck in a "no mans land" between authorization and 
> authentication.  Is there a way for me to include expiration as a rejection of 
> authentication in configurable failover or do I need to hack the source code ?
>
> Around line 550 of src/main/auth.c in rad_authenticate:
>       /*
>        *      Validate the user
>        */
>       do {
>               if ((result = check_expiration(request)) < 0)
>                               break;
>       ...
>
> Around line 710 of src/main/auth.c in rad_authenticate:
>       /*
>        *      Result should be >= 0 here - if not, we return.
>        */
>       if (result < 0) {
>               return RLM_MODULE_OK;
>       }
>
> Note: check_expiration returns -1 if the account has expired.
>
> Thanks in advance,
> Daniel
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Expiration handling should probably be moved to a separate module. I 've opened
bug#105 for that.



--
Kostas Kalevras         Network Operations Center
[EMAIL PROTECTED]       National Technical University of Athens, Greece
Work Phone:             +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to