I think this issue has come up on this list before.
Someone posted this solution. I am pasting it down
here. You can search the list for more information
about it too.
Here we go
Alejandro Galue wrote:
> To reject users:
>
> Reply-Message := 'You can not login now'
> And the exit code is 1
>
> PROBLEM:
>
> BUT, Reply-Message on Access-Reject is not modified.
> The Reject Message does not contain any attributes.
According to me it's a bug and I have been submitted
patches several
times.
I think it's not being accepted because I don't know
how to send text
mail
with real tabs :(
Here's my patch that solves this for 1.0.0:
--- src/main/auth.c.orig 2004-08-10 23:13:25.000000000
+0000
+++ src/main/auth.c 2004-08-10 23:14:18.000000000
+0000
@@ -886,18 +886,15 @@
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
- if (umsg[0] == '\0') {
- user_msg = "\r\nAccess denied (external check
failed).";
- } else {
- user_msg = &umsg[0];
+ if (r < 0) {
+ user_msg = "Access denied (external check
failed)";
+ tmp = pairmake("Reply-Message", user_msg,
T_OP_SET);
+ pairadd(&request->reply->vps, tmp);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- tmp = pairmake("Reply-Message", user_msg,
T_OP_SET);
-
- pairadd(&request->reply->vps, tmp);
rad_authlog("Login incorrect (external check
failed)",
- request, 0);
+ request, 1);
return RLM_MODULE_REJECT;
}
--
Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
Thanks and I hope that helps.
--- Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> In a previous thread I described my scenario:
>
> >My scenario is simple. When I receive an
> authentication request for a
> >user, I want to run an external program and if
> everything goes OK,
> >return access-accept with some attributes,
> otherwise I want to return
> >access-reject with other attributes.
>
> This scenario is accomplished easily using the
> Exec-Program-Wait
> attribute in users file.
>
> When I try to accomplish the same thing with
> rlm_exec, as Doug Hardie
> and Alan suggested, I use configurable failover:
>
> radiusd.conf:
>
> exec callerid {
> wait=yes
> program=/space/radius/callerid.sh
> input_pairs = request
> output_pairs = reply
> packet_type = Access-Request
> }
>
> in users I have
>
> CLIDACTIVATE Auth-Type := Local,
> User-Password=="AAA", Autz-Type := CLID
>
> and in the authorize section of radiusd.conf
>
> Autz-Type CLID{
> callerid {
> fail=reject
> }
> }
>
> In this case when the external script returns a non
> zero exit code or
> fails I get an Access-Reject. However I cannot put
> any attributes
> inside this reject packet. If my script outputs
> pairs and exits with a
> non zero status, the pairs are not kept in the
> reject packet sent back
> to the client. So my questions are:
>
> - is it possible to have attributes in reject
> packets in rlm_exec
> setups (something I can do with
> Exec-Program-Wait)?
> - is Exec-Program-Wait deprecated and probably
> removed in future
> versions? If so, how can I accomplish my scenario?
>
> I need to make a decision for an imminent project.
>
> Thanks in advance
>
> Kostas
>
> --
> Kostas Zorbadelos
> Systems Developer, Otenet SA
> mailto: [EMAIL PROTECTED]
>
> Out there in the darkness, out there in the night
> out there in the starlight, one soul burns
> brighter
> than a thousand suns.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
